Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll

Overview

General Information

Sample name:SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Analysis ID:1446235
MD5:0ce7c03e7ef8a60a4d9493dd627125e5
SHA1:873da1ff3ab630d51438c7a7eba0f12f4dda1e38
SHA256:412874adcd4433e43ef1b17328fe5d5b1ac340a4fe6e8203b069390d6e00a9d9
Tags:dll
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4448 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1168 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6556 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • regsvr32.exe (PID: 2584 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • rundll32.exe (PID: 4856 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllCanUnloadNow MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4864 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllGetClassObject MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4180 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\loaddll32.exe, ProcessId: 4448, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F233D5B-E44C-47DE-B1CC-2C92FEDE6CE1}\InProcServer32\(Default)

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllJoe Sandbox ML: detected
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: certificate valid
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://theuser.wnwb.com
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://weibo.com/wnwbsrf
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://wpa.qq.com/msgrd?v=3&uin=800065838&site=qq&menu=yeshttp://shang.qq.com/wpa/qunwpa?idkey=90c4a
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.wnwb.com/
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.wnwb.com/390875682800065838JanFebMarAprMayJunJulAugSepOctNovDecJan
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.wnwb.com/help.htm
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.wnwb.com/http://weibo.com/wnwbsrfhttp://www.wnwb.com/help.htmhttp://http://theuser.wnwb.c
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.wnwb.com/skin.htm
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: http://www.wnwb.com/skin.htmAllSkin
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: https://www.baidu.com/s?tn=%s&wd=%shttps://www.baidu.com/s?wd=SearchBaiduNumSearchCandhttps://www.so
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllString found in binary or memory: https://www.baidu.com/s?tn=18029102_8_oem_dgCalc.exe
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Resource name: CABFILE type: Microsoft Cabinet archive data, many, 195551 bytes, 329 files, at 0x2c +A "an1.png" +A "an1_X125.png", ID 7134, number 1, 20 datablocks, 0x1503 compression
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Resource name: CABFILE type: Microsoft Cabinet archive data, many, 5903 bytes, 15 files, at 0x2c +A "no_prompt_wb01.png" +A "no_prompt_wb02.png", ID 24650, number 1, 1 datablock, 0x1503 compression
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Resource name: CABFILE type: Microsoft Cabinet archive data, many, 47203 bytes, 53 files, at 0x2c +A "background.png" +A "CloseDown.png", ID 18287, number 1, 2 datablocks, 0x1503 compression
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllBinary or memory string: OriginalFilenamewnTSF.imeB vs SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal56.winDLL@14/5@0/0
Source: C:\Windows\SysWOW64\regsvr32.exeFile created: C:\Program Files (x86)\WanNengWBJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeFile created: C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.iniJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeFile read: C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_p';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_x';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_v';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_t';
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_k_Index_Code','PinYinUserFreqTableV3_k',#1,'CREATE INDEX PinYinUserFreqTableV3_k_Index_Code on PinYinUserFreqTableV3_k(Code)');
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_r_Index_Code','WuBiUserFreqTableV3_r',#1,'CREATE INDEX WuBiUserFreqTableV3_r_Index_Code on WuBiUserFreqTableV3_r(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_k_Index_Code','PinYinUserFreqTableV3_k',#1,'CREATE INDEX PinYinUserFreqTableV3_k_Index_Code on PinYinUserFreqTableV3_k(Code)');AR*
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_k_Index_Code','WuBiUserFreqTableV3_k',#1,'CREATE INDEX WuBiUserFreqTableV3_k_Index_Code on WuBiUserFreqTableV3_k(Code)');
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='UrlUserPhraseV1';
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_r_Index_Code','PinYinUserFreqTableV3_r',#1,'CREATE INDEX PinYinUserFreqTableV3_r_Index_Code on PinYinUserFreqTableV3_r(Code)');
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_z';8
Source: rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514078021.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515977223.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1516990092.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1514200557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: create table PinYinSystemPhraseV1( ID Integer PRIMARY KEY,Code TEXT,Word TEXT,Pos Integer);
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1533987697.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1528494385.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1518186868.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiCustomPhraseV1';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserPhraseV2';8
Source: loaddll32.exe, 00000000.00000003.1576978359.0000000000F4C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='ClipboardPhraseV1';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_e_Index_Code','WuBiUserFreqTableV3_e',#1,'CREATE INDEX WuBiUserFreqTableV3_e_Index_Code on WuBiUserFreqTableV3_e(Code)');0
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_y_Index_Code','WuBiUserFreqTableV3_y',#1,'CREATE INDEX WuBiUserFreqTableV3_y_Index_Code on WuBiUserFreqTableV3_y(Code)');
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_n';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PositionUserPhraseV4';8
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_m_Index_Code','WuBiUserFreqTableV3_m',#1,'CREATE INDEX WuBiUserFreqTableV3_m_Index_Code on WuBiUserFreqTableV3_m(Code)');
Source: regsvr32.exe, 00000003.00000003.1496851372.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497491426.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500113158.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496688491.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500527085.000000000310E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500015482.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: create table PinYinUserPhraseV1( ID Integer PRIMARY KEY, Code TEXT,Word TEXT,Freq Integer, SMCode TEXT, HSMCode TEXT);
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DuanYuUserPhraseV2';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543094241.00000000047D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_r';
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1576978359.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1578591600.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='SystemOwnPhraseV1';
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_h';
Source: loaddll32.exe, 00000000.00000003.1576978359.0000000000F4C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='ClipboardPhraseV1';8
Source: rundll32.exe, 00000004.00000003.1504305896.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1503441897.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_a_Index_Code','WuBiUserFreqTableV3_a',#1,'CREATE INDEX WuBiUserFreqTableV3_a_Index_Code on WuBiUserFreqTableV3_a(Code)');w
Source: rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_f';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_j_Index_Code','WuBiUserFreqTableV3_j',#1,'CREATE INDEX WuBiUserFreqTableV3_j_Index_Code on WuBiUserFreqTableV3_j(Code)');a
Source: rundll32.exe, 00000006.00000002.1516190821.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_h_Index_Code','PinYinUserFreqTableV3_h',#1,'CREATE INDEX PinYinUserFreqTableV3_h_Index_Code on PinYinUserFreqTableV3_h(Code)');
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_m';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_o';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_s';
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1579876770.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1582195339.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1533987697.0000000000A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinSystemPhraseV1';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_w';
Source: regsvr32.exe, 00000003.00000003.1508599968.0000000004F9E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1517923046.0000000004F9E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1502300485.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1517493668.0000000004F9E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500828973.0000000004F9B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515423131.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496792902.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1493597591.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497465451.00000000009B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1499702778.00000000009B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_w';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='LatelyUserPhraseV3';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_p_Index_Code','WuBiUserFreqTableV3_p',#1,'CREATE INDEX WuBiUserFreqTableV3_p_Index_Code on WuBiUserFreqTableV3_p(Code)');C7
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_m_Index_Code','WuBiUserFreqTableV3_m',#1,'CREATE INDEX WuBiUserFreqTableV3_m_Index_Code on WuBiUserFreqTableV3_m(Code)');1
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiCustomPhraseV1';8
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_e';
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_a';
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1576978359.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1578591600.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='SystemOwnPhraseV1';8
Source: regsvr32.exe, 00000003.00000003.1502083919.00000000030C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496458175.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500640044.00000000030C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';P8
Source: loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCustomPhraseV1';8
Source: rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514078021.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515977223.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1516990092.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1514200557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: create table WuBiCustomPhraseV1( ID Integer PRIMARY KEY,Code TEXT,Word TEXT,Pos Integer);
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DuanYuUserPhraseV2';8
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1517713355.0000000000A39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserPhraseV2';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_d_Index_Code','WuBiUserFreqTableV3_d',#1,'CREATE INDEX WuBiUserFreqTableV3_d_Index_Code on WuBiUserFreqTableV3_d(Code)');
Source: regsvr32.exe, 00000003.00000003.1500296336.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_z';P8
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_k';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='UrlUserPhraseV1';8
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DeleteUserPhraseV1';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_o';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='DeleteUserPhraseV1';8
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_c';
Source: rundll32.exe, 00000006.00000002.1516990092.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499028390.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1514200557.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1508587479.0000000000BDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: create table PinYinCustomPhraseV1( ID Integer PRIMARY KEY,Code TEXT,Word TEXT,Pos Integer);
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_l_Index_Code','PinYinUserFreqTableV3_l',#1,'CREATE INDEX PinYinUserFreqTableV3_l_Index_Code on PinYinUserFreqTableV3_l(Code)');
Source: rundll32.exe, 00000007.00000003.1512780517.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1518135586.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1513780980.00000000009E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';@
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_r';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_d_Index_Code','WuBiUserFreqTableV3_d',#1,'CREATE INDEX WuBiUserFreqTableV3_d_Index_Code on WuBiUserFreqTableV3_d(Code)');3
Source: rundll32.exe, 00000006.00000003.1512908200.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1512807185.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1512326514.0000000000B5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513499962.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1513581850.0000000000B7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinCloudLocalTableV1_v_Index_Code','PinYinCloudLocalTableV1_v',#1,'CREATE INDEX PinYinCloudLocalTableV1_v_Index_Code on PinYinCloudLocalTableV1_v(Code)');
Source: rundll32.exe, 00000004.00000002.1517107116.0000000004729000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1502368928.0000000004729000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1500948629.0000000004729000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494693710.0000000004729000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: create table SystemOwnPhraseV1 (ID integer PRIMARY KEY, Code TEXT, ShowWord TEXT, OutWord TEXT, IsDelete integer, MBType integer));
Source: loaddll32.exe, 00000000.00000003.1572793651.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496851372.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497491426.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500113158.00000000030FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_z';
Source: rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543258590.00000000047C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_t';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_j_Index_Code','WuBiUserFreqTableV3_j',#1,'CREATE INDEX WuBiUserFreqTableV3_j_Index_Code on WuBiUserFreqTableV3_j(Code)');
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_v';
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_x';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_q_Index_Code','WuBiUserFreqTableV3_q',#1,'CREATE INDEX WuBiUserFreqTableV3_q_Index_Code on WuBiUserFreqTableV3_q(Code)');
Source: rundll32.exe, 00000004.00000003.1504305896.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1503441897.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_a_Index_Code','WuBiUserFreqTableV3_a',#1,'CREATE INDEX WuBiUserFreqTableV3_a_Index_Code on WuBiUserFreqTableV3_a(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_f_Index_Code','PinYinUserFreqTableV3_f',#1,'CREATE INDEX PinYinUserFreqTableV3_f_Index_Code on PinYinUserFreqTableV3_f(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_z_Index_Code','PinYinUserFreqTableV3_z',#1,'CREATE INDEX PinYinUserFreqTableV3_z_Index_Code on PinYinUserFreqTableV3_z(Code)');
Source: loaddll32.exe, 00000000.00000003.1576675934.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1579876770.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1577311780.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1582195339.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinSystemPhraseV1';8
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_h_Index_Code','WuBiUserFreqTableV3_h',#1,'CREATE INDEX WuBiUserFreqTableV3_h_Index_Code on WuBiUserFreqTableV3_h(Code)');
Source: loaddll32.exe, 00000000.00000003.1570874316.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570932837.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514078021.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515977223.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1533987697.0000000000A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCustomPhraseV1';
Source: loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_z';P
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_l';
Source: loaddll32.exe, 00000000.00000003.1571510703.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';P
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_r_Index_Code','PinYinUserFreqTableV3_r',#1,'CREATE INDEX PinYinUserFreqTableV3_r_Index_Code on PinYinUserFreqTableV3_r(Code)');[\
Source: loaddll32.exe, 00000000.00000003.1571510703.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500296336.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1499702778.0000000000994000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1493597591.000000000098C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497558218.0000000000993000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497333323.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494995668.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.00000000009F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_z';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_p';
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1494619778.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495874633.0000000000BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_d';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1516429419.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1517713355.0000000000A39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1512302486.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1541215719.0000000000728000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1541255879.000000000072D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1538509971.000000000071F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1541761657.000000000073E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserPhraseV1';
Source: rundll32.exe, 00000007.00000003.1524520092.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524221398.0000000004A92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1536115297.0000000004AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1524296000.0000000004AA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_h';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_c_Index_Code','WuBiUserFreqTableV3_c',#1,'CREATE INDEX WuBiUserFreqTableV3_c_Index_Code on WuBiUserFreqTableV3_c(Code)');
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_m';
Source: loaddll32.exe, 00000000.00000003.1573043222.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1572591145.0000000002E0A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573590370.0000000002E44000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1573199142.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1502006801.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1499692861.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517099295.0000000000C03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_u';
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_y';
Source: loaddll32.exe, 00000000.00000003.1571510703.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567668651.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1502083919.00000000030C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1495635624.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1496458175.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1500640044.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_y';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserPhraseV1';8
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_u';
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496990571.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1497588866.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1494502029.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495089991.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495422720.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497560929.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1497207394.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1495284626.0000000000BC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PositionUserPhraseV4';
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_w_Index_Code','WuBiUserFreqTableV3_w',#1,'CREATE INDEX WuBiUserFreqTableV3_w_Index_Code on WuBiUserFreqTableV3_w(Code)');
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_e_Index_Code','WuBiUserFreqTableV3_e',#1,'CREATE INDEX WuBiUserFreqTableV3_e_Index_Code on WuBiUserFreqTableV3_e(Code)');
Source: loaddll32.exe, 00000000.00000003.1580294761.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.1581572648.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinUserFreqTableV3_c';
Source: rundll32.exe, 00000004.00000003.1511435101.0000000000961000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514131471.000000000096C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1514569291.000000000096E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1513910194.000000000096C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1511278727.0000000000952000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1511876365.0000000000969000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1511321254.000000000095E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1515423131.0000000000971000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinCloudLocalTableV1_z_Index_Code','PinYinCloudLocalTableV1_z',#1,'CREATE INDEX PinYinCloudLocalTableV1_z_Index_Code on PinYinCloudLocalTableV1_z(Code)');
Source: rundll32.exe, 00000006.00000003.1494531669.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1517793758.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1500205594.00000000048B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1493956051.00000000048B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_v_Index_Code','WuBiUserFreqTableV3_v',#1,'CREATE INDEX WuBiUserFreqTableV3_v_Index_Code on WuBiUserFreqTableV3_v(Code)');
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_h_Index_Code','WuBiUserFreqTableV3_h',#1,'CREATE INDEX WuBiUserFreqTableV3_h_Index_Code on WuBiUserFreqTableV3_h(Code)');x
Source: rundll32.exe, 00000004.00000003.1496860879.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1517429894.00000000047F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','WuBiUserFreqTableV3_p_Index_Code','WuBiUserFreqTableV3_p',#1,'CREATE INDEX WuBiUserFreqTableV3_p_Index_Code on WuBiUserFreqTableV3_p(Code)');
Source: loaddll32.exe, 00000000.00000003.1570516625.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1567592649.0000000000F22000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1570750503.0000000000F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='LatelyUserPhraseV3';8
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543258590.00000000047C9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_a';
Source: rundll32.exe, 00000008.00000003.1542907608.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.1553536640.00000000047C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543022788.00000000047BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1542834252.000000000478E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1543167810.00000000047C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='PinYinCloudLocalTableV1_a';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_m';
Source: rundll32.exe, 00000004.00000003.1501995733.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1496281317.0000000000C78000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1495245983.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_q';
Source: rundll32.exe, 00000007.00000003.1532557702.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532655268.00000000009CB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532117573.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532477027.00000000009BD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1532080914.00000000009B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1531893253.00000000009AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinCloudLocalTableV1_e_Index_Code','PinYinCloudLocalTableV1_e',#1,'CREATE INDEX PinYinCloudLocalTableV1_e_Index_Code on PinYinCloudLocalTableV1_e(Code)');
Source: regsvr32.exe, 00000003.00000003.1518214869.000000000305B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1519116434.000000000305D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','PinYinUserFreqTableV3_t_Index_Code','PinYinUserFreqTableV3_t',#1,'CREATE INDEX PinYinUserFreqTableV3_t_Index_Code on PinYinUserFreqTableV3_t(Code)');
Source: regsvr32.exe, 00000003.00000003.1500828973.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1508599968.0000000004F84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1497044833.0000000004F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='WuBiUserFreqTableV3_i';
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllReversingLabs: Detection: 52%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllCanUnloadNowJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllGetClassObjectJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllRegisterServerJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33C53A50-F456-4884-B049-85FD643ECFED}\InProcServer32Jump to behavior
Source: C:\Windows\System32\loaddll32.exeFile written: C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.iniJump to behavior
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: certificate valid
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic file information: File size 3545512 > 1048576
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x20b400
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5172Thread sleep count: 54 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6552Thread sleep count: 42 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6696Thread sleep count: 81 > 30Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1Jump to behavior
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllBinary or memory string: %s*.*.fcb%s%s%drb%s.bak%s.bak%d.vector<T> too longa+b[%d-%d-%d %d-%d-%d][%d]:%sC:\log\%s.logC:\Log\ResLog.dll/()*.*|\Local\LocalLow\Roaming%s\%s\config\systemprofiledocuments and settings\localserviceKernel32.dllWtsapi32.dllWTSQueryUserTokenWTSGetActiveConsoleSessionIdEXPLORER.EXEx86docdesktopfavprogramProgram Files\currtemp\Temp\TEMPdownloadsDownloads\USERPROFILE\Downloads\\AppData\LocalLow\locallowLocalLowRoaminglocalLocalsystemsystem32systemprofileconfig\systemprofile,*1%s.%stypefalsetrue -a661f2d90fff216c2229b9adf2f0c279bacdc88e0bb26d08994982e5a0c9e047e963de71fc4f8287027741390a510f70@8586c00258dc18c32ba289d0b440862409f84c6b4fbee1f8ff421a5dd0b0bd82*Shell_TrayWnd10 '''--=%s/invalid vector<T> subscriptkernel32.dllGetNativeSystemInfokernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection%d%.2d%.2d%d-%.2d-%.2d%[0-9] %[/.-] %[0-9] %[/.-] %[0-9] %[/.-]20002001%.4d-%.2d-%.2d
Source: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllBinary or memory string: unknown errorchrome.exe360se.exesogouexplorer.exeqqbrowser.exefirefox.exeopera.exewnie.exescie.exemaxthon.exe360chrome.exebaidubrowser.exeiexplore.exesafari.exetwchrome.exespark.exetheworld.exe"" +httpopen\Program Files\Internet Explorer\iexplore.exe WinSta0\Defaultrunas'''identifierBegin:abcdefghijklmnopqrstuvwxyz:identifierEnd0xSysListView32WorkerWProgmanHotKeyIsWow64Processexplorer.exeS:(ML;;NW;;;LW)Advapi32.dllConvertSidToStringSidW.

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		12
Process Injection		1
Regsvr32		OS Credential Dumping2
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Masquerading		LSASS Memory11
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Virtualization/Sandbox Evasion		NTDS1
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Process Injection		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446235 Sample: SecuriteInfo.com.Adware.Sof... Startdate: 23/05/2024 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 Machine Learning detection for sample 2->21 23 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->23 7 loaddll32.exe 3 19 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 9 82 7->11         started        13 rundll32.exe 41 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 117 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll52%ReversingLabsWin32.PUA.SoftCnapp
SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://theuser.wnwb.com0%Avira URL Cloudsafe
http://www.wnwb.com/390875682800065838JanFebMarAprMayJunJulAugSepOctNovDecJan0%Avira URL Cloudsafe
http://www.wnwb.com/skin.htmAllSkin0%Avira URL Cloudsafe
https://www.baidu.com/s?tn=%s&wd=%shttps://www.baidu.com/s?wd=SearchBaiduNumSearchCandhttps://www.so0%Avira URL Cloudsafe
http://weibo.com/wnwbsrf0%Avira URL Cloudsafe
http://www.wnwb.com/0%Avira URL Cloudsafe
https://www.baidu.com/s?tn=18029102_8_oem_dgCalc.exe0%Avira URL Cloudsafe
http://www.wnwb.com/help.htm0%Avira URL Cloudsafe
http://www.wnwb.com/http://weibo.com/wnwbsrfhttp://www.wnwb.com/help.htmhttp://http://theuser.wnwb.c0%Avira URL Cloudsafe
http://wpa.qq.com/msgrd?v=3&uin=800065838&site=qq&menu=yeshttp://shang.qq.com/wpa/qunwpa?idkey=90c4a0%Avira URL Cloudsafe
http://www.wnwb.com/skin.htm0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		unknown
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://wpa.qq.com/msgrd?v=3&uin=800065838&site=qq&menu=yeshttp://shang.qq.com/wpa/qunwpa?idkey=90c4aSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.wnwb.com/SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.wnwb.com/help.htmSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://theuser.wnwb.comSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.wnwb.com/skin.htmAllSkinSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://weibo.com/wnwbsrfSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.baidu.com/s?tn=18029102_8_oem_dgCalc.exeSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.baidu.com/s?tn=%s&wd=%shttps://www.baidu.com/s?wd=SearchBaiduNumSearchCandhttps://www.soSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.wnwb.com/390875682800065838JanFebMarAprMayJunJulAugSepOctNovDecJanSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.wnwb.com/http://weibo.com/wnwbsrfhttp://www.wnwb.com/help.htmhttp://http://theuser.wnwb.cSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.wnwb.com/skin.htmSecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dllfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1446235
      Start date and time:2024-05-23 01:30:23 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 13s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:9
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
      Detection:MAL
      Classification:mal56.winDLL@14/5@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .dll
      • Stop behavior analysis, all processes terminated

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe
      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.85.23.206
      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
      • Execution Graph export aborted for target rundll32.exe, PID 4180 because there are no executed function
      • Execution Graph export aborted for target rundll32.exe, PID 4856 because there are no executed function
      • Execution Graph export aborted for target rundll32.exe, PID 4864 because there are no executed function
      • Execution Graph export aborted for target rundll32.exe, PID 6556 because there are no executed function
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll

      Simulations

      Behavior and APIs

      TimeTypeDescription
      19:31:48API Interceptor1x Sleep call for process: loaddll32.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      bg.microsoft.map.fastly.nethttps://security-help-center-92a4a.firebaseapp.com/form-2122.htmlGet hashmaliciousUnknownBrowse
      • 199.232.214.172
      http://segurogestionvirtual.brizy.site/Get hashmaliciousUnknownBrowse
      • 199.232.214.172
      https://actualizacionesban-colombia.brizy.site/Get hashmaliciousUnknownBrowse
      • 199.232.210.172
      https://statuesque-tiramisu-6e81a7.netlify.app/about.html/Get hashmaliciousUnknownBrowse
      • 199.232.210.172
      https://inboxexchangeservice.pages.dev/Get hashmaliciousHTMLPhisherBrowse
      • 199.232.210.172
      http://ospaxo.appleidliy.com/ja/Get hashmaliciousUnknownBrowse
      • 199.232.214.172
      https://claiim-dana-kagett.clikweb.my.id/Get hashmaliciousUnknownBrowse
      • 199.232.210.172
      https://pub-74078d8ac5f84641b7fc23b33367d558.r2.dev/blob.htmlGet hashmaliciousHTMLPhisherBrowse
      • 199.232.214.172
      LouozD0fiw.vbsGet hashmaliciousUnknownBrowse
      • 199.232.214.172
      https://wrt.dvw.mybluehost.me/CH/SBB/index/Get hashmaliciousUnknownBrowse
      • 199.232.214.172
      fp2e7a.wpc.phicdn.nethttps://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxyGet hashmaliciousHTMLPhisherBrowse
      • 192.229.221.95
      https://allegroau.com/Get hashmaliciousUnknownBrowse
      • 192.229.221.95
      https://security-help-center-92a4a.firebaseapp.com/form-2122.htmlGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      https://pro-openxsea.firebaseapp.com/Get hashmaliciousUnknownBrowse
      • 192.229.221.95
      http://segurogestionvirtual.brizy.site/Get hashmaliciousUnknownBrowse
      • 192.229.221.95
      https://worker-noisy-base-d6b4.monicaajanusss.workers.dev/Get hashmaliciousHTMLPhisherBrowse
      • 192.229.221.95
      https://actualizacionesban-colombia.brizy.site/Get hashmaliciousUnknownBrowse
      • 192.229.221.95
      http://enter-mantagalaxies.com/Get hashmaliciousUnknownBrowse
      • 192.229.221.95
      http://danaa-gratis.000webhostapp.com/Get hashmaliciousUnknownBrowse
      • 192.229.221.95
      http://x6-1f3.pages.dev/appeal_case_ID/Get hashmaliciousUnknownBrowse
      • 192.229.221.95

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\LocalLow\WanNengWBIME.users\MB\UserData.db

      Download File
      Process:C:\Windows\SysWOW64\rundll32.exe
      File Type:SQLite 3.x database, last written using SQLite version 0, page size 32768, file counter 75, database pages 0, cookie 0x4b, schema 1, UTF-8, version-valid-for 0
      Category:dropped
      Size (bytes):2523136
      Entropy (8bit):0.07739536421075947
      Encrypted:false
      SSDEEP:96:D/Fzit1wRK3137t2oynfM9m52xXCMliywF3YBJsDbAIORl9kCez35uuHGFC24F2Q:7FKeNhjAIZp5w9OK
      MD5:C7B83EFC1D81CD588B05A63F44993437
      SHA1:6C9EA8FD7AC236EA5640DF488C79532393513E96
      SHA-256:C63209964294A9F74F09D34CCECFC3143CF93F048C3FA5E2F5EFBCA455DB500B
      SHA-512:6B808C902C912CB60222C8B1472A4890068771636D85AA915CD4B6B7D407B04AC74E2BDF1FB35DC7EAA05B6BEE91D0E033842E6B70E2F5659B6DBFABC8DCF444
      Malicious:false
      Reputation:low
      Preview:SQLite format 3......@ ...K...............K.........................................................u..LLv..n~.~O}.}6|.|.{.z.zxz.yIx.w.wYv.v*u.u.t.t.s{r.rMq.p.pLown.n.m`l.k.k.jti.h.h)g.f.f.e=d.c.c&bQa.`.`:_e^.].]N\y[.[.ZbY.X.X.WBV.U.T.TDS.R.RNQyP.P.ObN.M.M.Lv....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\LocalLow\WanNengWBIME.users\MB\UserData.db-journal

      Download File
      Process:C:\Windows\SysWOW64\regsvr32.exe
      File Type:SQLite Rollback Journal
      Category:modified
      Size (bytes):33288
      Entropy (8bit):3.294595199622588
      Encrypted:false
      SSDEEP:96:7eYnTY56IFzAt1wRK3137t2oynfM9m52xXCMliywF3YBJsDbAIORl9kCez35uuHk:7RT+PFYeNhjAIZp5w9OKv
      MD5:DCBBD7F62E449CC1E7FF139ABDAF2E41
      SHA1:38B08D73A9DE6A2A8FFFF61F9F40C687792C301A
      SHA-256:1E1635BE1232727C2B7FA0B96B39AC02DB7B163438952FB45423F99A18FE10F7
      SHA-512:24D526FD375A6C692DE3BAD188ED3A0AB8EFA80F1F659073C81D63ED38EB2161133EC8C8D646D5C5B884DEBB791FC775017902AC53831D3B6E2898EF4A2ED02F
      Malicious:false
      Reputation:low
      Preview:.... .c.....h..u...L........XZ.Z....Dk. ....ki.Ga..h............bu,..#B.t..G....y......'..|.............H.d..1.G......}7.S.D....A.5=.[.H#...C.4..O4....=!2K7H...n.uV...@%L.Iz..F.%.oi!|.S.J.%.n..Ab..j..,|..z.m.. v|Z....e9.E..}c..'.......!.7...BE....:..j@].}.....E<....`V&.@u..}...v.V].YF.....{.H...O...,.n..].-".Z..d.==1,$.N.~.r......yV..E....6D....z;.........<.Zx*.........i....2..c..w.j"Xa8...)..A.&..C.XCx.K.x.MfwQ7..(o.Iz..B .,~..y.n...6g+..E..l..=...xA.+..NPMTL..c....V.*...J.e...l...\y......SQLite format 3......@ ...J...............J.........................................................u..KM...n~.~O}.}6|.|.{.z.zxz.yIx.w.wYv.v*u.u.t.t.s{r.rMq.p.pLown.n.m`l.k.k.jti.h.h)g.f.f.e=d.c.c&bQa.`.`:_e^.].]N\y[.[.ZbY.X.X.WBV.U.T.TDS.R.RNQyP.P.ObN.M.M...................................................................................................................................................................................................................................

      C:\Users\user\AppData\LocalLow\WanNengWBIME.users\MB\UserFreqData.db

      Download File
      Process:C:\Windows\SysWOW64\rundll32.exe
      File Type:SQLite 3.x database, last written using SQLite version 0, page size 32768, file counter 93, database pages 0, cookie 0x5d, schema 1, UTF-8, version-valid-for 0
      Category:dropped
      Size (bytes):3080192
      Entropy (8bit):0.07562577651259594
      Encrypted:false
      SSDEEP:96:D4HDAFXCDqrDe5N2By4iDCTxU9E5DhgOZ/o3kDwNH6zyDDHWb8HTGZKDDcY9qfiW:7QjpwXMBVs4F6
      MD5:9A32283A021A80C7D400D55E995F3140
      SHA1:A91B0EA23869F9B246ED01E414D99D8969EC6574
      SHA-256:CB251713B0685DF40F913CEDB6C7278A68C12CE2F4179A1451F9FD53908AD679
      SHA-512:A5D65B79DC4B2E2C2B7C0AA8C2D1473F3BF551786934F3626072FB3267D80C0F5FB6E7C3FE325B1CB0E123A2F2E9D1CF83F29233F995E38C6FF499C41BC17F94
      Malicious:false
      Reputation:low
      Preview:SQLite format 3......@ ...]...............]............................................................]BL..1~.}.}0|a{.z.z*y.x.x)wZv.u.uYt.s.s"rSq.p.pRo.n.n.m.l.k.kKj|i.i.h{g.g.fDe.d.dCctb.b.as`.`4_.^.^G].].\w[.[8Z.Y.YKX.X.W{V.V<U.T.TOS.S.R.Q.Q@P.P.OSN.N.M.L.LDK.K.JWI.I.H.G.GHF.F.E[D.D.C.B.BL..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\LocalLow\WanNengWBIME.users\MB\UserFreqData.db-journal

      Download File
      Process:C:\Windows\SysWOW64\regsvr32.exe
      File Type:SQLite Rollback Journal
      Category:modified
      Size (bytes):33288
      Entropy (8bit):3.545584349146089
      Encrypted:false
      SSDEEP:96:7eq60dDqrDe5N2By4iDCTxU9E5DhgOZ/o3kDwNH6zyDDHWb8HTGZKDDcY9qfi9Dy:7RMQjpwXMBVs4F6D
      MD5:D81EEC74D4749780400557CEB4E67703
      SHA1:8ACBBE76019D0268B1D8F84EA5DFA9BBE39E9F89
      SHA-256:1A2601FB9448DF144FB7204DF14402C64DB0D37A17D737C808783271C4763559
      SHA-512:452EB04A51F13CCAA92346E60D897F50FFB2AB3D7AB7FBAE778AC5E943465550D7A4BAB69678A8B91D11516A45D27D2E4C5ED0B89A97D5690B2EEDADA24F3803
      Malicious:false
      Reputation:low
      Preview:.... .c.......W....]................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ...\...............\............................................................\B...1~.}.}0|a{.z.z*y.x.x)wZv.u.uYt.s.s"rSq.p.pRo.n.n.m.l.k.kKj|i.i.h{g.g.fDe.d.dCctb.b.as`.`4_.^.^G].].\w[.[8Z.Y.YKX.X.W{V.V<U.T.TOS.S.R.Q.Q@P.P.OSN.N.M.L.LDK.K.JWI.I.H.G.GHF.F.E[D.D.C.B.................................................................................................................................................................................................

      C:\Users\user\AppData\LocalLow\WanNengWBIME\Config\Related.ini

      Download File
      Process:C:\Windows\SysWOW64\regsvr32.exe
      File Type:ASCII text, with CRLF line terminators
      Category:modified
      Size (bytes):32
      Entropy (8bit):4.054229296672174
      Encrypted:false
      SSDEEP:3:aCDgR+g:5Q/
      MD5:FBEC917F26077A7EDF32949198A68B53
      SHA1:76995A1C95C3A8C90D6DAB7A2C6D4A1E8852FCDA
      SHA-256:4CC0634C503102E04D8AECEC2E288E008896DC7B2EF216E57A71E9DFFC95F9C4
      SHA-512:2C75318A17ADAC5B5371DEAD586D8EF26087ECFF2F583DCA8237CDE9EBFFB00121AF4758FEA9FD9ABFA1FAF0A7666ACE3CEB286A90F2710975A1BBE84D541378
      Malicious:false
      Preview:[SetModify]..ModifySetConfig=0..

      Static File Info

      General

      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.7250220894501265
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 89.26%
      • Windows ActiveX control (116523/4) 10.38%
      • Generic Win/DOS Executable (2004/3) 0.18%
      • DOS Executable Generic (2002/1) 0.18%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
      File size:3'545'512 bytes
      MD5:0ce7c03e7ef8a60a4d9493dd627125e5
      SHA1:873da1ff3ab630d51438c7a7eba0f12f4dda1e38
      SHA256:412874adcd4433e43ef1b17328fe5d5b1ac340a4fe6e8203b069390d6e00a9d9
      SHA512:2a898a8298d924a3ef966d973bb552b16025d5ae7f19405ea510896d23940aa5d8ee514005ab2f86f6c51f23d438b6076cd279390e2c24aed25072da5ee818e6
      SSDEEP:98304:2rzi/nEi2PO5uVA1wzUVzH01C6roRvN6:2Hi/nEi2PNB2c
      TLSH:CAF59E1D76458C36E5AE42305AA9A63F8438AE7507754CC7F3FC7E1E2B705C26A32A13
      File Content Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$..........KT.`.T.`.T.`..n..~.`..n....`..n..s.`.s4..d.`...e.5.`..R..P.`...c.H.`.....U.`...e.P.`...e.(.`...d.s.`.....\.`.....U.`.....u.`

      File Icon

      Icon Hash:56b2b2b2b2561606

      Static PE Info

      General

      Entrypoint:0x1015971e
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x10000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x65977201 [Fri Jan 5 03:05:37 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:3e3adab7d2c9efd07021ca97ffedd258

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 27/10/2023 02:00:00 25/03/2026 00:59:59
      Subject Chain
      • CN=Shanghai Oriental Webcasting Co. Ltd., O=Shanghai Oriental Webcasting Co. Ltd., S=\u4e0a\u6d77\u5e02, C=CN, SERIALNUMBER=913100006317722856, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=\u4e0a\u6d77\u5e02, OID.1.3.6.1.4.1.311.60.2.1.3=CN
      Version:3
      Thumbprint MD5:C243B27AB7794158A32ED39BC77533F0
      Thumbprint SHA-1:89F2FDFCF7DB3B23F7766F5A048699F0C1C8D2C6
      Thumbprint SHA-256:151259EDCE63763ED66317B15D3EAF0EB69ED9328B8AACBC7B3563D072B1B937
      Serial:0B03D3410E57678DF3FCA13A38443E84

      Entrypoint Preview

      Instruction
      push ebp
      mov ebp, esp
      cmp dword ptr [ebp+0Ch], 01h
      jne 00007F5888D9C887h
      call 00007F5888D9CED4h
      push dword ptr [ebp+10h]
      push dword ptr [ebp+0Ch]
      push dword ptr [ebp+08h]
      call 00007F5888D9C743h
      add esp, 0Ch
      pop ebp
      retn 000Ch
      jmp dword ptr [1020D740h]
      mov ecx, dword ptr [ebp-0Ch]
      mov dword ptr fs:[00000000h], ecx
      pop ecx
      pop edi
      pop edi
      pop esi
      pop ebx
      mov esp, ebp
      pop ebp
      push ecx
      ret
      mov ecx, dword ptr [ebp-10h]
      xor ecx, ebp
      call 00007F5888D9BC09h
      jmp 00007F5888D9C860h
      mov ecx, dword ptr [ebp-14h]
      xor ecx, ebp
      call 00007F5888D9BBF8h
      jmp 00007F5888D9C84Fh
      push eax
      push dword ptr fs:[00000000h]
      lea eax, dword ptr [esp+0Ch]
      sub esp, dword ptr [esp+0Ch]
      push ebx
      push esi
      push edi
      mov dword ptr [eax], ebp
      mov ebp, eax
      mov eax, dword ptr [1026F0F0h]
      xor eax, ebp
      push eax
      push dword ptr [ebp-04h]
      mov dword ptr [ebp-04h], FFFFFFFFh
      lea eax, dword ptr [ebp-0Ch]
      mov dword ptr fs:[00000000h], eax
      ret
      push eax
      push dword ptr fs:[00000000h]
      lea eax, dword ptr [esp+0Ch]
      sub esp, dword ptr [esp+0Ch]
      push ebx
      push esi
      push edi
      mov dword ptr [eax], ebp
      mov ebp, eax
      mov eax, dword ptr [1026F0F0h]
      xor eax, ebp
      push eax
      mov dword ptr [ebp-10h], eax
      push dword ptr [ebp-04h]
      mov dword ptr [ebp-04h], FFFFFFFFh
      lea eax, dword ptr [ebp-0Ch]
      mov dword ptr fs:[00000000h], eax

      Rich Headers

      Programming Language:
      • [ C ] VS2005 build 50727
      • [C++] VS2015 UPD3.1 build 24215

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x26bf100xc0.rdata
      IMAGE_DIRECTORY_ENTRY_IMPORT0x26bfd00x104.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2870000xcc4b0.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x35f0000x29a8.reloc
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3540000x17c20.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x247be00x38.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x247c740x18.rdata
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x247c180x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20d0000x740.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x20b3e60x20b400476463be4a685c69e7dd5d2179fd23ebunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x20d0000x61a320x61c0063633cbba2a979cbaede21340cbd0c4fFalse0.37264975623401536data5.13446134305943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x26f0000x15dfc0xca00895ab49843b7311964884d268fdb53e6False0.1495204207920792DOS executable (block device driver ght (c)4.538621698149283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .gfids0x2850000xbec0xc0011be8e480af77115912e529ecae3a926False0.4208984375data3.9501216735325464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .tls0x2860000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x2870000xcc4b00xcc60090865c54d4d22280427b217b3d5290f8False0.4817111047400612data6.259668805194241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x3540000x17c200x17e003800f35927dd00e487d4c060cfec9ee3False0.6471490510471204data6.6745511352147275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      CABFILE0x2898d80x2fbdfMicrosoft Cabinet archive data, many, 195551 bytes, 329 files, at 0x2c +A "an1.png" +A "an1_X125.png", ID 7134, number 1, 20 datablocks, 0x1503 compressionChineseChina0.9638508624348635
      CABFILE0x2c4d200x170fMicrosoft Cabinet archive data, many, 5903 bytes, 15 files, at 0x2c +A "no_prompt_wb01.png" +A "no_prompt_wb02.png", ID 24650, number 1, 1 datablock, 0x1503 compressionChineseChina0.9590038963239031
      CABFILE0x2b94b80xb863Microsoft Cabinet archive data, many, 47203 bytes, 53 files, at 0x2c +A "background.png" +A "CloseDown.png", ID 18287, number 1, 2 datablocks, 0x1503 compressionChineseChina0.9783064635722306
      DICT0x2cc4680xe18eUnicode text, UTF-16, little-endian text, with very long lines (504), with CRLF line terminatorsChineseChina0.8781129853486197
      DICT0x2da5f80x181fcXML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminatorsChineseChina0.2795004655305024
      PIC0x2f3cb00x1d0PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0150862068965518
      PIC0x2f3e800x1cbPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0196078431372548
      PIC0x2f40500x20aPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0210727969348659
      PIC0x3054800xb4PNG image data, 241 x 5, 8-bit/color RGBA, non-interlacedChineseChina0.95
      PIC0x2f47180x195PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0098765432098766
      PIC0x2f48b00x192PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0024875621890548
      PIC0x2f4a480x1c7PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0153846153846153
      PIC0x3024880x24dPNG image data, 28 x 26, 8-bit/color RGBA, non-interlacedChineseChina1.0186757215619695
      PIC0x3041280x52cPNG image data, 180 x 34, 8-bit/color RGBA, non-interlacedChineseChina0.7552870090634441
      PIC0x308bb00x438PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedChineseChina0.6638888888888889
      PIC0x3085000x6acPNG image data, 90 x 20, 8-bit/color RGBA, non-interlacedChineseChina0.550351288056206
      PIC0x3056600x12dPNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.973421926910299
      PIC0x3059580x12dPNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.973421926910299
      PIC0x3075280x182PNG image data, 12 x 9, 8-bit/color RGBA, non-interlacedChineseChina1.0077720207253886
      PIC0x2f32480x153PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9911504424778761
      PIC0x2f33a00x14fPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0029850746268656
      PIC0x2f34f00x165PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9859943977591037
      PIC0x2f4c100x196PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0147783251231528
      PIC0x2f4da80x190PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0075
      PIC0x2f4f380x1dbPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.023157894736842
      PIC0x3037780x9abPNG image data, 180 x 34, 8-bit/color RGBA, non-interlacedChineseChina0.888080808080808
      PIC0x3046580x200PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.021484375
      PIC0x3076b00x43dPNG image data, 12 x 10, 8-bit/color RGBA, non-interlacedChineseChina0.7050691244239631
      PIC0x2f55b00x14fPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0029850746268656
      PIC0x2f57000x153PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0
      PIC0x2f58580x15dPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9856733524355301
      PIC0x2f36580x1fbPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0216962524654833
      PIC0x2f38580x1f7PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.021868787276342
      PIC0x2f3a500x259PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0183028286189684
      PIC0x2f51180x174PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0026881720430108
      PIC0x2f52900x175PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0053619302949062
      PIC0x2f54080x1a6PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.009478672985782
      PIC0x307af00xd2PNG image data, 7 x 10, 8-bit/color RGBA, non-interlacedChineseChina1.0523809523809524
      PIC0x2f2b880x154PNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedChineseChina0.9970588235294118
      PIC0x2f2ce00x15dPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedChineseChina1.0
      PIC0x307bc80x10dPNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedChineseChina0.8327137546468402
      PIC0x3080080xfbPNG image data, 42 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9641434262948207
      PIC0x307e580x1afPNG image data, 30 x 18, 8-bit/color RGBA, non-interlacedChineseChina1.013921113689095
      PIC0x3082400x2bePNG image data, 33 x 32, 8-bit/color RGBA, non-interlacedChineseChina1.0156695156695157
      PIC0x307cd80x179PNG image data, 12 x 12, 8-bit/color RGBA, non-interlacedChineseChina1.0079575596816976
      PIC0x3081080x135PNG image data, 12 x 12, 8-bit/color RGBA, non-interlacedChineseChina0.9935275080906149
      PIC0x301be80x29ePNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.016417910447761
      PIC0x301e880x2aePNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0160349854227406
      PIC0x3021380x34ePNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0130023640661938
      PIC0x304c680x1dbPNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0126315789473683
      PIC0x2f2e400x401PNG image data, 12 x 9, 8-bit/color RGBA, interlacedChineseChina0.6731707317073171
      PIC0x308fe80x7f9PNG image data, 96 x 92, 8-bit/color RGBA, non-interlacedChineseChina0.6197942185203331
      PIC0x3097e80x739PNG image data, 96 x 92, 8-bit/color RGBA, non-interlacedChineseChina0.588967009194159
      PIC0x304a100x148PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0
      PIC0x3014c80x237PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0194003527336861
      PIC0x3017000x23ePNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.019163763066202
      PIC0x3019400x2a6PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0162241887905605
      PIC0x2f5ff80xa828PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.672876788700985
      PIC0x3008200x15bPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9971181556195965
      PIC0x3009800x158PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9941860465116279
      PIC0x305c080x1b6PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0159817351598173
      PIC0x304b580x10ePNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.9851851851851852
      PIC0x2f59b80x1f9PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0217821782178218
      PIC0x2f5bb80x1ecPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.016260162601626
      PIC0x2f5da80x24aPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0187713310580204
      PIC0x305ed00x10ePNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.9851851851851852
      PIC0x305dc00x109PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.9849056603773585
      PIC0x3057900x1c3PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0133037694013303
      PIC0x2f29c00x1c2PC bitmap, Windows 3.x format, 11 x 11 x 24, image size 396, resolution 2834 x 2834 px/m, cbSize 450, bits offset 54ChineseChina0.16666666666666666
      PIC0x305a880x180PNG image data, 10 x 10, 8-bit/color RGBA, non-interlacedChineseChina1.0078125
      PIC0x3051180x179PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0026525198938991
      PIC0x300ad80x197PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.00982800982801
      PIC0x300c700x197PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0147420147420148
      PIC0x300e080x1adPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.013986013986014
      PIC0x300fb80x1a3PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0143198090692125
      PIC0x3011600x198PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0122549019607843
      PIC0x3012f80x1cdPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0151843817787418
      PIC0x306f100x612PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.592020592020592
      PIC0x2f27f80x1c2PC bitmap, Windows 3.x format, 11 x 11 x 24, image size 396, resolution 2834 x 2834 px/m, cbSize 450, bits offset 54ChineseChina0.16444444444444445
      PIC0x2f42600x181PNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0051948051948052
      PIC0x2f43e80x17fPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0078328981723237
      PIC0x2f45680x1acPNG image data, 20 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.014018691588785
      PIC0x3055380x121PNG image data, 137 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9584775086505191
      PIC0x3053c00xbdPNG image data, 235 x 1, 8-bit/color RGBA, non-interlacedChineseChina0.9523809523809523
      PIC0x3026d80x71dPNG image data, 204 x 67, 8-bit/color RGBA, non-interlacedChineseChina0.9835255354200988
      PIC0x302df80x979PNG image data, 180 x 67, 8-bit/color RGBA, non-interlacedChineseChina0.8750515463917525
      PIC0x3052980x127PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.9932203389830508
      PIC0x304e480x144PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina0.9845679012345679
      PIC0x3061080xb4bPNG image data, 5 x 9, 8-bit/color RGBA, non-interlacedChineseChina1.0038049117952266
      PIC0x305fe00x124PNG image data, 13 x 10, 8-bit/color RGBA, non-interlacedChineseChina1.0
      PIC0x306c580x2b3PNG image data, 31 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.015918958031838
      PIC0x3048580x1b2PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0161290322580645
      PIC0x304f900x182PNG image data, 13 x 13, 8-bit/color RGBA, non-interlacedChineseChina1.0025906735751295
      XML0x2caa780x19ebXML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminatorsChineseChina0.2375282592313489
      XML0x2c64300x4646XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.11967759866592552
      RT_ICON0x30a4700x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsChineseChina0.2817919075144509
      RT_ICON0x30a9d80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336ChineseChina0.03706320087581738
      RT_ICON0x34ca000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.16514522821576763
      RT_ICON0x34efa80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.2028611632270169
      RT_ICON0x3500500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400ChineseChina0.29918032786885246
      RT_ICON0x3509d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.39893617021276595
      RT_ICON0x350ea00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.32432432432432434
      RT_ICON0x350fc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsChineseChina0.06069364161849711
      RT_ICON0x3515300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.10283687943262411
      RT_ICON0x3519c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.4358108108108108
      RT_ICON0x351af00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsChineseChina0.08670520231213873
      RT_ICON0x3520580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.1320921985815603
      RT_ICON0x3524f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128ChineseChina0.44594594594594594
      RT_ICON0x3526180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsChineseChina0.09465317919075145
      RT_ICON0x352b800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.14627659574468085
      RT_DIALOG0x2894700x264dataChineseChina0.5702614379084967
      RT_DIALOG0x2896d80x1fedataChineseChina0.503921568627451
      RT_DIALOG0x2890e00x38edataChineseChina0.5043956043956044
      RT_STRING0x3530180x94dataChineseChina0.722972972972973
      RT_STRING0x3530b00xe2dataChineseChina0.5619469026548672
      RT_GROUP_ICON0x3519980x30dataChineseChina0.9583333333333334
      RT_GROUP_ICON0x3524c00x30dataChineseChina0.9791666666666666
      RT_GROUP_ICON0x352fe80x30dataChineseChina0.9791666666666666
      RT_GROUP_ICON0x350e400x5adataChineseChina0.7666666666666667
      RT_VERSION0x30a1e00x28cPGP symmetric key encrypted data - Plaintext or unencrypted dataChineseChina0.5245398773006135
      RT_MANIFEST0x309f280x2b7XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminatorsChineseChina0.5136690647482014
      RT_MANIFEST0x3531980x311XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (709), with CRLF line terminatorsEnglishUnited States0.5286624203821656

      Imports

      DLLImport
      SHLWAPI.dllPathFileExistsA, PathFileExistsW, PathAddBackslashW
      KERNEL32.dlllstrcmpiW, LocalAlloc, SystemTimeToTzSpecificLocalTime, SetUnhandledExceptionFilter, CreateFileMappingW, MapViewOfFile, OpenFileMappingW, UnmapViewOfFile, TlsSetValue, TlsGetValue, DosDateTimeToFileTime, LocalFileTimeToFileTime, SetFileTime, FindResourceW, LoadResource, LockResource, SizeofResource, MulDiv, LCMapStringW, GetModuleFileNameA, GetCurrentThread, SuspendThread, GetThreadContext, ResumeThread, GetPrivateProfileStringA, SetFilePointerEx, SetEndOfFile, DeleteFileA, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, LoadLibraryExW, GetStdHandle, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, CompareStringW, InterlockedIncrement, GetWindowsDirectoryW, Process32NextW, K32GetModuleFileNameExW, OpenProcess, Process32FirstW, CreateToolhelp32Snapshot, GetLocalTime, CreateThread, CloseHandle, WriteFile, CreateFileW, GetTempPathW, MoveFileExW, CopyFileW, TerminateThread, Sleep, QueryPerformanceCounter, QueryPerformanceFrequency, DeleteFileW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetOEMCP, IsValidCodePage, GlobalUnlock, FindFirstFileExA, GetCurrentDirectoryW, WriteConsoleW, SetStdHandle, FlushFileBuffers, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetACP, PeekNamedPipe, GetDriveTypeW, GetFileType, GetConsoleCP, ReadConsoleW, GetConsoleMode, GetFullPathNameA, GetFullPathNameW, GetModuleHandleExW, RtlUnwind, CreateTimerQueue, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, DuplicateHandle, VirtualProtect, GetModuleHandleA, FreeLibraryAndExitThread, GetThreadTimes, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, ExitProcess, FindResourceExW, WinExec, ReadProcessMemory, VirtualFree, VirtualAlloc, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, UnhandledExceptionFilter, WaitForSingleObjectEx, ResetEvent, SetEvent, GetCPInfo, GetStringTypeW, GetLocaleInfoW, GetSystemTimeAsFileTime, TlsFree, TlsAlloc, CreateEventW, SetLastError, EncodePointer, TryEnterCriticalSection, GlobalLock, GlobalFree, GlobalAlloc, CreateProcessW, GetExitCodeProcess, FindNextFileA, WaitForSingleObject, SetFileAttributesW, GetFileAttributesW, FindClose, lstrcpyW, FindNextFileW, FindFirstFileW, GetTickCount, GetCurrentProcess, GetModuleHandleW, LocalFree, GetCurrentThreadId, GetSystemInfo, GetVersionExW, GetSystemDirectoryW, CreateFileA, WTSGetActiveConsoleSessionId, GetEnvironmentVariableW, GetLongPathNameW, FreeLibrary, GetProcAddress, RemoveDirectoryW, CreateDirectoryW, GetCurrentProcessId, LoadLibraryW, FileTimeToSystemTime, ReadFile, GetCommandLineA, GetFileSize, GetProcessHeap, WideCharToMultiByte, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, HeapDestroy, MultiByteToWideChar, DecodePointer, DeleteCriticalSection, InitializeCriticalSectionEx, GetLastError, RaiseException, lstrlenW, GetPrivateProfileIntW, WritePrivateProfileStringW, GetModuleFileNameW, GetPrivateProfileStringW, AreFileApisANSI, SetFilePointer, LockFile, LockFileEx, UnlockFile, GetFileAttributesA, GetTempPathA, LoadLibraryA, FormatMessageA, GetSystemTime
      USER32.dllGetMonitorInfoW, SystemParametersInfoW, FindWindowW, GetDesktopWindow, GetWindowRect, EnumDisplayMonitors, PtInRect, GetParent, GetSystemMetrics, LoadStringW, GetKeyState, GetKeyboardState, GetActiveWindow, IsWindow, ScreenToClient, ClientToScreen, GetWindowThreadProcessId, GetForegroundWindow, BringWindowToTop, LoadImageW, SetWindowLongW, SetWindowPos, GetLastInputInfo, PostMessageW, OpenClipboard, EmptyClipboard, CloseClipboard, SetClipboardData, IsClipboardFormatAvailable, GetClipboardData, GetClassNameW, keybd_event, FindWindowExW, CharLowerW, GetFocus, IsWindowVisible, SetTimer, KillTimer, SetRect, SendMessageW, DestroyWindow, RegisterWindowMessageW, DefWindowProcW, LoadCursorW, RegisterClassExW, CreateWindowExW, MonitorFromPoint, GetDC, ReleaseDC, WindowFromPoint, SendMessageTimeoutW, DialogBoxParamW, CreateDialogParamW, ShowWindow, SetWindowTextW, SetDlgItemTextW, EndDialog, GetDlgItem, SetCursor, IsIconic, InvalidateRect, SetFocus, GetCaretPos, GetCapture, DrawTextW, CharNextW, GetWindowLongW, TrackPopupMenu, RemoveMenu, ModifyMenuW, InsertMenuW, EnableMenuItem, SetMenuInfo, DestroyMenu, DeleteMenu, CreatePopupMenu, CreateMenu, GetCursorPos, GetClientRect, FillRect, UnionRect, SetRectEmpty, UpdateLayeredWindow, EndPaint, BeginPaint, SetCapture, OffsetRect, ToAscii, MessageBeep, ReleaseCapture, GetAsyncKeyState, GetDlgItemInt, SetDlgItemInt, MessageBoxW, CallWindowProcW, GetDlgItemTextW, MoveWindow
      GDI32.dllCreateSolidBrush, EnumFontsW, CreateICW, GetPixel, DeleteDC, BitBlt, CreateCompatibleBitmap, DeleteObject, SelectObject, CreateCompatibleDC, CreateFontW, SetTextColor, SetBkMode, GetDeviceCaps, GetStockObject, LineTo, CreateBitmap, GetObjectW, GetDIBits, CreateDCW, GetTextExtentPoint32W, ExcludeClipRect, GetTextExtentPointW, TextOutW, CreatePen, MoveToEx, CreateDIBSection
      ADVAPI32.dllRegCreateKeyExW, CreateProcessAsUserW, SetTokenInformation, DuplicateTokenEx, GetSecurityDescriptorControl, SetSecurityDescriptorDacl, AddAccessAllowedAce, AddAce, EqualSid, GetAce, InitializeAcl, GetLengthSid, GetAclInformation, GetSecurityDescriptorDacl, LookupAccountNameW, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, RegDeleteValueW, RegDeleteKeyW, RegOpenKeyW, ImpersonateLoggedOnUser, RevertToSelf, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, GetSecurityDescriptorSacl, SetNamedSecurityInfoW, LookupAccountSidW, SetSecurityInfo, RegEnumKeyExW, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegCreateKeyW, RegSetValueW, SetFileSecurityW, GetFileSecurityW
      SHELL32.dllSHGetSpecialFolderPathA, SHGetSpecialFolderPathW, SHFileOperationW, SHGetFolderPathW, SHAppBarMessage, ShellExecuteExW, ShellExecuteW
      ole32.dllCoUninitialize, CreateStreamOnHGlobal, CoInitialize, CoCreateInstance
      OLEAUT32.dllSysFreeString, SysAllocStringLen, GetErrorInfo, SysStringLen, SysAllocString
      USERENV.dllDestroyEnvironmentBlock, CreateEnvironmentBlock
      gdiplus.dllGdipCloneFontFamily, GdipFillRectangleI, GdipGetGenericFontFamilySansSerif, GdipGetImageRawFormat, GdipCloneBitmapAreaI, GdipCreateBitmapFromStream, GdipCloneImage, GdipDisposeImage, GdipBitmapSetPixel, GdipBitmapGetPixel, GdipSetPenDashStyle, GdipDrawLineI, GdipFillPath, GdipDrawPath, GdipSetImageAttributesColorKeys, GdipAddPathLineI, GdipAddPathArcI, GdipCreateFont, GdipCreateFontFamilyFromName, GdipDeleteFont, GdipDrawString, GdipSetImageAttributesColorMatrix, GdipCreateImageAttributes, GdipGetImageHeight, GdipGetImageWidth, GdipDrawImageRectRectI, GdipDrawLine, GdipDeletePen, GdipCreatePen1, GdipDeleteGraphics, GdipCreateFromHDC, GdipGetFontCollectionFamilyList, GdipCloneBrush, GdipAlloc, GdipDeleteBrush, GdipDisposeImageAttributes, GdipImageSelectActiveFrame, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipImageGetFrameCount, GdipImageGetFrameDimensionsList, GdipImageGetFrameDimensionsCount, GdipDeletePrivateFontCollection, GdipPrivateAddFontFile, GdipFree, GdipNewPrivateFontCollection, GdipNewInstalledFontCollection, GdipGetFontCollectionFamilyCount, GdipMeasureString, GdipSetStringFormatFlags, GdipDeleteStringFormat, GdipStringFormatGetGenericTypographic, GdipCloneStringFormat, GdipGetFontSize, GdipGetFamily, GdipDeleteFontFamily, GdipDeletePath, GdipCreatePath, GdipCreateBitmapFromScan0, GdipBitmapLockBits, GdipBitmapUnlockBits, GdiplusStartup, GdipCloneFont, GdipDrawImageRectI, GdipCreateStringFormat, GdipSetStringFormatLineAlign, GdipSetStringFormatAlign, GdipCreateSolidFill
      WTSAPI32.dllWTSQueryUserToken
      dbghelp.dllSymGetModuleBase64, SymFunctionTableAccess64, SymInitialize, StackWalk64, EnumerateLoadedModules64

      Exports

      NameOrdinalAddress
      DllCanUnloadNow10x101376a0
      DllGetClassObject20x10137590
      DllRegisterServer30x10137770
      DllUnregisterServer40x101376b0
      GetServicesProfile50x101377a0

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      ChineseChina
      EnglishUnited States

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      May 23, 2024 01:31:58.240448952 CEST1.1.1.1192.168.2.110xa403No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
      May 23, 2024 01:31:58.240448952 CEST1.1.1.1192.168.2.110xa403No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
      May 23, 2024 01:31:58.922285080 CEST1.1.1.1192.168.2.110x199fNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
      May 23, 2024 01:31:58.922285080 CEST1.1.1.1192.168.2.110x199fNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:19:31:38
      Start date:22/05/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll"
      Imagebase:0xb80000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:1
      Start time:19:31:38
      Start date:22/05/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff68cce0000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:2
      Start time:19:31:38
      Start date:22/05/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
      Imagebase:0xc30000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:3
      Start time:19:31:38
      Start date:22/05/2024
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline:regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll
      Imagebase:0x7a0000
      File size:20'992 bytes
      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:19:31:38
      Start date:22/05/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll",#1
      Imagebase:0xda0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:6
      Start time:19:31:38
      Start date:22/05/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllCanUnloadNow
      Imagebase:0xda0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:7
      Start time:19:31:41
      Start date:22/05/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllGetClassObject
      Imagebase:0xda0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:8
      Start time:19:31:44
      Start date:22/05/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Adware.Softcnapp.184.8522.30222.dll,DllRegisterServer
      Imagebase:0xda0000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      No disassembly