Windows Analysis Report
SecuriteInfo.com.FileRepMalware.6479.21607.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.6479.21607.exe
Analysis ID: 1546265
MD5: 5e96050ed8827efeb9c90d59ce708f10
SHA1: 83dca0d791cfaeca7fe8ad68fed370c37ef48ce1
SHA256: 0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
Tags: exe
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
PE file has a writeable .text section
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Avira: detection malicious, Label: HEUR/AGEN.1303415
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe ReversingLabs: Detection: 53%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe ReversingLabs: Detection: 50%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 180.188.25.9:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.154.254.89:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: Binary string: \Bin\lander.pdbX G source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\lander.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\iconTips.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\iconAnimate.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\lander.pdbX L source: dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 163.171.133.72 163.171.133.72
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 163.171.133.72:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 159.75.141.43:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 159.75.141.43:80
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49747
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49764
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /httpsEnable.gif?t=1730391733433 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: my.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /TCaptcha.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/tcaptcha-frame.5e0f125a.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /template/drag_ele.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/dy-jy3.js HTTP/1.1Accept: */*Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/dy-ele.16bf5dd7.js HTTP/1.1Accept: */*Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dy-jy3.js HTTP/1.1Accept: */*Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391723 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391723 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /controller/client.php?action=register&game_id=417&tpl_type=game2 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-AliveCookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/rem_on.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/kv-ico.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391727 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391727 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/reg.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/dot.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /www2015/images/common/third-logo-24.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.tab.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.statis.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.clientclass2.js?t=1730391727 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a.clickdata.37wan.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /www2015/images/reglog/200x42.png?v=1 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /www/css/images/common/dialog2/bg-dialog-avatar.png?v=1 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /proxy_yk.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: regapi.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /www/css/images/common/ico.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/ HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cm.he2d.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/lib/sq.core.js HTTP/1.1Accept: */*Referer: http://regapi.37.com/proxy_yk.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata= HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: cookiem.37.comCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/btn-log-short.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/btn-reg.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0047DFE0 _memset,InternetCrackUrlW,InternetOpenW,InternetConnectW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,HttpQueryInfoW,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CreateFileW,InternetReadFile,WriteFile,CloseHandle, 1_2_0047DFE0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 31 Oct 2024 16:22:03 GMTContent-Type: text/html;charset=UTF-8Connection: closeSet-Cookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; path=/; domain=37.comSet-Cookie: client_type=3; path=/; domain=37.comContent-Encoding: gzipserver-timing: inner; dur=79Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 5a 7b 73 d3 56 16 ff bb cc f4 3b a8 62 5b 92 82 2c c9 76 e2 b7 3b 34 94 60 86 d0 10 28 29 9e ce 30 57 0f db 8a f5 42 92 ed 38 29 33 30 b3 b4 dd 6e 69 e9 ce f6 c5 32 db c7 2e 1d 66 bb 6d 77 a7 33 6d 77 4b db 0f 43 9c c0 5f fb 15 f6 9c ab 87 25 5b 81 50 40 26 96 74 ef 3d e7 fc ce b9 e7 71 ef c5 d5 67 14 4b f6 86 b6 ca 74 3c 43 af ef ab e2 8d d1 89 d9 ae b1 1b 1d 16 1b 54 a2 d4 f7 31 70 55 0d d5 23 8c dc 21 8e ab 7a 35 f6 95 33 47 b9 22 cb f0 41 a7 a7 79 ba 5a 1f fd f2 cd ce 57 df 56 79 ff 2d 46 66 12 43 ad b1 2d c7 32 3d d5 54 58 46 a6 0f c0 a6 43 4c 10 14 b1 d1 Data Ascii: Z{sV;b[,v;4`()0WB8)30ni2.fmw3mwKC_%[P@&t=qgKt<CT1pU#!z53G"AyZWVy-FfC-2=TXFCL
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/pngContent-Length: 912Connection: keep-aliveAge: 2505797Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59438b1e-764"Expires: Fri, 01 Nov 2024 16:18:50 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 0a19ff7cb6bc940fd8c4beaba853c0a9X-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:07 GMTvia: pic03.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 53 5d 6c 14 55 14 3e cd 36 c5 40 9a 10 9f 40 1e bc cc 82 d1 c4 dd d9 d9 76 4b 77 e8 42 ba 3b bb ed 46 a6 94 ed 46 ab 2f 74 76 e6 b6 3b 29 f3 d3 99 db ee 6e 83 51 8b 62 c0 3f 4c 48 fc a1 a6 12 45 22 08 44 8d 08 56 d0 28 3e 90 2c a0 46 08 3f 35 d1 04 21 e1 85 07 7e da 20 e1 7a 67 e9 96 c4 b8 c6 27 9f f8 92 99 7b cf cd f7 9d 7b ce b9 e7 6c e9 ee ea 68 9c ff d0 7c 00 68 4c 77 4a 19 b6 2e 61 df 82 07 7c ec 7f 78 aa e1 36 5b 16 93 64 2f e9 b1 fa 49 41 71 30 b4 6b 56 0e a3 b4 a1 0c e0 0c 56 b4 d2 d0 71 dc 06 e0 f3 eb d9 5e d2 2b af 11 55 cb 08 2a 1e 27 58 34 6c f0 d0 b6 ba 68 2b ea 20 26 28 87 07 74 33 c6 5d 9d fc 86 43 ba 16 e3 9e 8a c8 21 d9 4e e0 bc de 39 ea e0 9e d1 ae ac 3a 3a a8 46 35 6e f5 2a d4 56 14 99 03 03 13 05 15 8d 0d a6 2b 16 63 5c c5 af c8 f6 de 31 cf a1 0a 85 0c c6 b8 bb 41 f5 ca dd 28 61 39 18 45 82 91 80 1a 12 9a d1 8a 68 50 88 08 cd ad c2 e3 28 1c 12 9a f8 50 13 2f 34 05 84 b0 18 8a 8a 42 04 cd 82 63 b7 39 5a bf 98 91 52 b3 77 31 2b c6 e5 09 b1 45 9e 2f 14 0a c1 42 53 d0 72 06 78 21 1a 8d f2 a1 30 1f 0e 07 18 23 e0 96 4c a2 14 03 a6 eb af 7a 90 b0 ab 3a ba 4d 74 cb 44 9e ad e4 ac 61 12 e3 b8 6a 0a 86 3d e7 d6 74 67 cb c4 0a c6 17 15 9b 17 82 21 2f a5 2a 51 96 ff 9d 6a 18 73 6c 97 64 f0 bd 78 ff 91 ed 66 4b 36 e6 33 d8 b5 86 1d 95 3d 5c bf df 13 db 62 c2 c1 0a b1 9c ac 65 6d a8 56 b1 3b 6f 11 cb cd 5b 36 4a 24 d0 a3 b2 a2 ea a6 67 3f 56 11 c8 b2 98 36 5d a2 98 2a 4e 4b 31 8e 9d 04 75 5d 13 c3 52 24 d2 1e 4f 49 2b 84 e6 84 20 24 9b db 59 f1 5b e3 d1 96 96 16 a1 35 1c 4e 09 55 ad 64 a9 c3 06 36 49 55 ab dd d3 26 6b 6a bd 5e b8 ab c6 8e 3e 82 b5 94 63 19 a8 92 b3 a8 d7 8e 25 5e d3 df ac 56 ab 1d 4b a2 a6 96 67 c1 f0 7f 7b e9 ea 11 6b 1f 6f 3b d7 b7 cc 98 eb 7c 6c b2 76 77 58 5f 4f 1e ed d9 c8 c6 05 ba d7 64 93 6c 36 28 c3 cf 40 7f 01 7a 06 e8 49 a0 a7 80 1e 87 4b 9f 01 fd 0e e8 31 b8 f2 29 ec db 04 74 12 e8 d7 40 0f 02 3d 0c 74 3f d0 cf e1 f7 71 a0 7b 80 ee 05 ba 0f e8 07 40 3f 82 3b bb e0 d6 04 9c 7b 15 e8 fb 40 77 c2 af 5b e1 80 09 cf ad 05 ba 03 ee bc Data Ascii: S]lU>6@@vKwB;FF/tv;)nQb?LHE"DV(>,F?5!~ zg'{{lh|hLwJ.a|x6[d/IAq0kVVq^+U*'X4lh+ &(t3]C!N9::F5n*V+c\1A(a9EhP(P/4Bc9ZRw1+E/BSrx!0#Lz:MtDaj
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/pngContent-Length: 1078Connection: keep-aliveAge: 2443286Cache-Control: max-age=2592000Content-Encoding: gzipExpires: Sat, 02 Nov 2024 09:40:41 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 76736ea00734abf7da8cab947d6bad4cX-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:07 GMTvia: pic03.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 eb 0c f0 73 e7 e5 92 e2 62 60 60 e0 f5 f4 70 09 02 d2 7c 20 cc c1 0c 24 35 a6 dd 7d 0c a4 24 4b 5c 23 4a 82 f3 d3 4a ca 13 8b 52 19 1c 53 f2 93 52 15 3c 73 13 d3 53 83 52 13 53 2a 0b 4f a6 da 30 30 30 2b 67 86 44 94 44 f8 fa 58 25 e7 e7 ea 25 82 d4 e8 55 e4 16 30 80 80 8d 7d 45 41 62 72 76 6a 89 42 52 6a 7a 66 9e ad d2 fb dd fb 95 14 32 53 6c 95 c2 4d 7d 0d 7c 0b 9c 53 33 32 3d aa 8a 52 83 ab fc 42 92 ab b2 93 2d 53 94 ec ed 14 6c 2a ac 80 06 e4 a6 96 24 2a 54 e4 e6 e4 15 5b 55 d8 2a 81 cd b5 02 b2 41 c2 fa 4a 0a 60 25 25 d9 b6 4a 10 47 45 f8 06 28 38 e7 17 a5 2a 98 ea 99 ea 26 1b 18 9a 28 98 5b ea 19 9a 1a 9a 58 18 ea 28 18 19 18 1a eb 1b 18 eb 1b 1a eb 1a 1a 59 19 58 5a 19 9a 2a 40 81 12 d0 b6 a2 94 34 ab 20 17 37 a8 5d 40 9e ad 52 46 49 49 81 95 be 7e 79 79 b9 5e b9 b1 5e 7e 51 ba be a1 a5 a5 a5 be 81 91 be 91 91 2e 50 85 6e 71 65 5e 49 62 85 6e 5e b1 32 cc 04 97 d4 e2 e4 a2 cc 82 92 cc fc 3c 05 10 3f 31 29 bf b4 c4 56 49 09 e6 85 dc 02 b8 b1 79 c5 d0 60 02 06 98 7e 45 62 81 be a1 9e 01 c8 4b 30 85 be be f8 95 e6 e6 c2 55 17 97 04 a5 22 dc 8b 55 75 71 48 65 41 aa 7e 50 6a 71 7e 69 51 32 30 e2 d2 94 41 9a 0b ac 9c 8b 52 13 4b f2 8b 42 f2 f3 73 60 a1 18 90 91 5f 92 5f 9c 91 5f a0 e0 ec ac a0 e1 9b 98 9c 99 07 e2 6b 82 35 f8 fa 5a 79 e6 15 97 24 e6 25 a7 7a ba d8 2a 01 45 f4 32 33 53 ac 8c 4d dc 5c 8c 5c cc 8d 2d 4c 8c 2d 0c 0d 5d 4d 2c 1d 9d dd 9c 8d 5d 4d 5d cc cd 8c 0c cd 0c 8d 61 7a 5d f2 93 4b 73 53 f3 4a 60 7a 53 10 7a 4d 70 ea 05 a5 05 88 ee d4 a2 cc b2 d4 14 b7 a2 fc 5c 05 b0 9f ad 32 71 bb c5 10 a7 79 50 bd 29 b8 dd 62 84 53 af 3e d0 31 fa 68 31 0d 13 02 26 1f 10 13 9e 6e 81 1c 78 ca 4f cd 03 26 f7 22 60 ba 6e 60 31 f6 05 66 17 86 00 9f 10 57 60 de f8 ff ff ff c1 89 6e 47 a7 7a 1c 9e ec 7e 64 8a c7 da 46 bb ed 9d 4e 5b da 1d 97 54 59 77 a7 18 4c c9 31 69 4f d4 9f 5b 6c 51 19 aa 59 1d ae 55 1a a4 91 ec ac 90 e3 a5 22 23 c0 22 c5 cf 22 c1 c7 22 c6 cb 22 2b c0 22 cd cf 22 c9 c7 22 27 c8 2a ce cb 12 64 22 19 64 2a 19 60 2c 29 c9 cb 2c ce c3 2c c5 c7 22 01 52 c3 1a 60 24 e1 a5 27 26 c5 cb ec a2 21 ec ac 21 2c c1 c3 22 ce c3 Data Ascii: sb``p| $5}$K\#JJRSR<sSRS*O000+gDDX%%U0}EAbrvjBRjzf2SlM}|S32=RB-Sl*$*T[U*AJ`%%JGE(8*&([X(YXZ*@4 7]@RFII~yy^^~Q.Pnqe^Ibn^2<?1)VIy`~Eb
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 31 Oct 2024 16:22:07 GMTContent-Type: text/html;charset=UTF-8Connection: closeExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Encoding: gzipserver-timing: inner; dur=141Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 1a fb 73 13 d5 fa 67 99 f1 7f 58 97 ab b4 c2 76 1f 49 9b 77 1c 2c 52 c2 50 2c 05 a9 64 9c 61 f6 95 64 9b 7d b1 bb 49 9a 56 66 ca 8c 95 5e a4 52 bc 8a ca 70 e7 aa 57 b8 8c 0a 78 af 77 04 05 e5 8f a1 9b 94 9f ee bf 70 bf 73 f6 91 dd 24 ad 45 ca a6 cd ee 9e f3 bd cf f7 3a a7 cd bf 22 19 a2 d3 36 65 a2 e6 68 6a 71 4f 1e dd 08 95 d7 ab 05 72 b1 46 a2 01 99 97 8a 7b 08 b8 f2 9a ec f0 84 58 e3 2d 5b 76 0a e4 3b a7 0e 53 69 92 a0 fd 49 47 71 54 b9 e8 fe 7e b7 fb fd bd 3c ed bd 45 d0 74 5e 93 0b 64 c5 32 74 47 d6 25 92 10 f1 03 90 a9 f1 3a 30 0a c9 a8 8a 5e 27 2c 59 2d 90 b6 d3 56 65 bb 26 cb 0e 49 d4 2c b9 52 20 69 5a d1 aa ec 58 22 d5 e2 75 78 1a 13 0d 8d 9e 5f 14 cf d1 a2 6d d3 a2 aa 00 3d ba 0a 7c d8 31 18 78 c3 29 b0 a9 04 93 c8 b0 29 2e 15 d2 df 93 a7 3d 85 f2 82 21 b5 7d 9e 92 d2 24 44 95 b7 ed 02 89 c4 e2 15 5d b6 90 0c bc a3 34 65 78 a8 12 4e 4d b1 24 b0 06 86 0f 71 14 a9 40 c2 2c 55 31 2c 8d 0c 28 04 03 21 01 d2 e3 12 62 9a 01 a4 49 55 14 cb 76 08 93 b2 a8 86 6d f5 c1 61 58 95 17 64 95 00 72 1e dd 86 2d 5b c8 90 64 b1 fb e9 ed ce ea 7d f7 c1 ba 7b e5 fe ff 1e 5d cf d3 18 b2 98 57 74 b3 e1 10 68 41 0b a4 23 2f 80 e9 02 21 43 5c 7f 29 e2 63 11 e1 c3 41 ba 98 b7 4d 5e 0f e6 6c 87 77 1a 36 59 cc d3 68 b4 4f 29 da dc 4a 4b 44 d2 51 4c 02 34 44 77 b2 98 a4 38 66 e3 c1 77 9d cf 7e 74 ef 7c fe 64 f9 02 7c 77 ee ad 75 56 af 6d 2e af 6c 3c f8 c8 5d fd a4 fb eb e3 ee c3 0f 3a ab eb db 90 45 46 33 5b 68 4d a2 f3 18 a6 cf 68 26 c0 b7 0c b4 7c 9b 77 7f ef fe 76 d7 bd f7 61 f7 ab 0b 5b 19 2d 84 0e 0d d7 1b e9 19 ae 37 16 d1 32 1c dc 5d c3 81 96 9e e1 26 b6 31 5c f7 af bf 74 ee 5e 82 91 ee 0f b7 76 6a 3b ee 19 8c 07 b0 4f 2f ae b9 df ae fd 59 eb 71 c3 cc c7 0d b5 1f b7 fb 06 e4 3c 0b 6e 3c f8 b6 f3 c3 d7 9b bf ff cd 5d b9 d9 bd fe 81 a7 cb e6 bd fb 1b 8f ff de b9 7c 61 e3 c1 f2 e6 c5 ff 6e 43 d0 16 c9 b8 60 62 4d 16 eb 04 fe a6 0c dd 53 1a bf 09 c6 82 17 a7 be c8 79 de 4f 61 35 c7 31 b3 34 ad b5 21 8b e1 fc 85 a2 ed 2c 5f b5 64 59 83 f4 35 86 d2 6f 68 94 70 98 24 1c de aa a2 a4 7b 56 80 dc 5c 27 8b 9d d5 ab ee fd ff 3c fd 62 65 f3 de 43 f7 97 9f dd f5 cb 9d 0f ae 3c 59 be e4 e5 85 ce 4f b7 dd 0f 2f 77 6e ac b9 97 be 76 d7 ae 6c de bd eb 5e b9 f4 f4 fa 7a f7 5f 17 3a 9f 3e ee de b9 f6 64 f9 a3 3c cd 17 07 75 0d e4 dc 1b 0a 21 38 3a 01 bf 14 58 13 c4 40 69 bd 40 22 bd f8 2d 30 7d 0d 51 1e e6 4d 33 50 13 e5 55 cb 50 55 d9 f2 13 f5 98 59 33 df 40 40 67 c1 68 49 36 f5 9a 63 aa 67 b1 13 a1 41 ee 35 a0 25 5b 85 96 74 36 91 12 ed d7 1a 00 94 e1 d8 09 36 39 20 97 6a 54 29 bb 66 58 ce 30 a1 a2 99 1d b3 a5 70 26 a7 70 95 89 8e 90 04 2e 37 05 52 52 6c 53 e5 db 59 dd d0 d1 f2 e1 d5 73 57 7e de 78 78 cd 4b b6 dd 2f 1f b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 41066Connection: keep-aliveAge: 1215620Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59438b1e-a44a"Expires: Sat, 16 Nov 2024 14:41:48 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 7f0f1a632160649a6c61a0c50335d249X-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:08 GMTvia: pic03.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 b4 b9 75 5c 9b 4f b7 2f 1a dc 9d 00 c5 5d 82 06 77 77 8a 13 bc 14 2f 01 82 7b 29 d2 a2 29 ee 45 0a c5 2d 58 09 5a a0 05 82 d3 e2 50 a0 a5 68 71 2b 14 8a 1e fa 3b ef bb f7 b9 f7 ec b3 ef f9 e7 ce 27 79 3e 33 6b 96 7c d7 ac 59 33 eb 49 ee 17 ee 57 01 34 6a 41 50 67 00 40 4b 0b 04 c0 05 fc 67 bb df 07 90 a9 fa 3b b8 05 03 d0 00 98 0f 63 d9 07 d2 2a 46 a0 8b 9f 9f 97 b4 a0 a0 87 af 80 9d a3 a7 bd 93 80 83 27 4c 30 c8 ce 4b 10 2c 20 24 08 90 55 08 f2 b2 73 70 73 f2 63 b6 77 7a 06 f5 90 63 3d ea ec 61 65 86 3a ca b1 9a 89 e9 0a e9 7a a9 38 b9 40 35 43 7c 9c 8c 43 f4 4c 1c 42 dc 1c a4 1c 59 15 e4 99 65 83 a4 83 60 5e 30 27 3f 3b e6 20 98 bb 87 af 74 90 1c eb 3f ca a5 1f fa 7f c9 82 ac cc ff b0 f8 b9 c9 b1 2a fd 9d 60 36 d7 35 60 56 f1 f4 71 62 16 13 10 e3 77 10 02 8b 32 4b 48 09 80 c5 c0 a2 92 60 3e 66 61 21 b0 88 a0 90 88 20 58 84 1f 2c 2c 2d 24 25 0d 16 63 fe 57 63 7d b0 e6 e3 e8 2c 6d a4 aa fe 2f 5b 0f 23 39 d6 7f 39 15 18 18 28 10 28 22 e0 e9 f3 4c 10 2c 25 25 25 28 24 2c 28 2c cc ff c0 c1 ef 1b ec e1 67 17 c4 ef e1 cb f6 6f 0d aa 4e be 0e 3e 50 2f 3f a8 a7 07 f3 df b1 9d bd a7 bf 9f 1c 2b eb bf 5d 80 79 e9 ea fe 87 e2 ff 72 b5 60 b0 bf 7e fd c3 ed eb 67 e4 f4 9f 30 fe 4b 6e 5f 93 60 2f 27 41 23 27 5f 4f 7f 1f 07 a7 07 76 b6 ff c5 d4 7f 2f fa 97 f1 01 8d b4 be 0f f4 21 28 76 ee aa 9e 0e fe 30 27 0f 3f 2d 55 39 d6 87 19 01 47 a8 a3 b4 04 58 4c 58 4a 48 58 5d 44 48 45 4c 4d 04 0c 56 06 0b a9 28 89 aa 08 4b 8a 4a 29 81 95 85 24 fe ad e3 bf 92 95 14 03 ab a9 0a ab 2a 89 4a 09 4b 81 c1 6a 12 4a e2 ea 42 92 42 4a a2 c2 c2 6a 6a 6a 2a ca 2a ff 96 d5 f2 f0 f5 b3 f3 70 70 fa b7 2c f4 3f 65 a5 fe 5b 59 69 15 1f 27 3b 3f 4f 1f 13 4f 4f f7 7f ef 00 03 17 4f 3f 4f 5f 17 4f 2f 66 15 95 bf 11 17 63 e6 36 83 7a 38 7a 06 fa f2 fc 0d d1 bf d0 3a f9 40 03 9c 1c d5 7d 3c 61 cc ff ac b1 34 f4 bf c0 e0 24 09 16 15 76 b0 07 f3 0b 89 49 8a f0 8b da 49 48 f1 4b da 09 d9 f3 4b 39 3b 08 39 48 09 09 d9 8b 3b 08 b1 fe 4b de f1 bf f0 ff ff 73 ed 04 1f 00 09 fe bf 36 cd bf 49 0f 3b f1 6f Data Ascii: u\O/]ww/{))E-XZPhq+;'y>3k|Y3IW4jAPg@Kg;c*F'L0K, $Uspscwzc=ae:z8@5C|CLBYe`^0'?; t?*`65`Vqbw2KH`>fa! X,,-$%cWc},m/[#99(("L,%%%($,(,goN>P/?+]yr`~
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 18275Connection: keep-aliveAccess-Control-Allow-Headers: X-Requested-WithAccess-Control-Allow-Methods: GET,POST,OPTIONSAccess-Control-Allow-Origin: *Age: 1645057Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59476cc8-490e"Expires: Mon, 11 Nov 2024 15:24:32 GMTLast-Modified: Mon, 19 Jun 2017 06:18:48 GMTVary: Accept-EncodingX-Bdcdn-Cache-Status: TCP_HITX-Request-Id: 61816d58b5ba3fd3d61a03f678e512b3X-Request-Ip: 173.254.250.77X-Response-Cache: edge_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:09 GMTvia: pic01.hnxxcmData Raw: 1f 8b 08 00 00 00 00 00 00 03 8c ba 05 50 5d cf d2 2f ba 71 77 77 77 db 1b 77 77 77 49 70 77 dd b8 05 77 0d ee ee 6e c1 09 6e 1b 0b 10 9c e0 c1 25 10 3c e4 26 ff 73 ce f7 dd fb de 57 f7 bd a9 9a aa d5 d3 32 bf 9e ee 5e 33 6b 6a fd 5e fd bd 0b 20 94 f1 b1 b3 06 00 14 14 98 01 88 80 ff 6e bf cf 01 58 d2 9e 16 0e be 00 28 00 ec 1f 5a f8 cf d0 2e 8c b7 2d 18 ec 2a c8 c1 e1 ec c1 6e 66 e9 62 6e c5 6e e1 e2 c4 e1 63 e6 ca 01 62 07 72 00 84 c5 7c 5c cd 2c 1c ac c0 94 e6 56 36 76 ce 22 d4 57 3d 03 d4 94 76 96 22 d4 7a 3c 2a 40 15 57 29 2b 5b 3b 79 3f 77 2b 2d 3f 55 6d 0b 3f 07 0b 01 4b 6a 31 51 4a 61 1f 41 1f 27 57 27 2b b0 19 a5 8f 93 a3 b3 87 a0 8f 08 f5 3f c6 05 ff 3c ff 1d e6 a0 a6 fc 47 04 ec 20 42 2d f1 97 41 a9 af a2 4e 29 e5 e2 6e 45 c9 c3 ce cb 66 01 e4 e5 a3 e4 13 60 07 f1 f0 f1 71 f3 b1 52 72 02 41 3c 1c 40 2e 0e 2e 20 1b 27 97 20 37 50 90 9b 93 f2 df 8d fa cf 6c ee 96 d6 82 9a d2 b2 ff 9e eb 0f 25 42 fd 6f a7 bc bd bd d9 bd b9 d8 5d dc 6d 38 40 02 02 02 1c 40 4e 0e 4e 4e b6 3f 12 6c 1e be ce 60 33 1f 36 67 0f 9a ff 58 90 b6 f2 b0 70 b7 73 05 db b9 38 53 fe a5 cd cc 5d 3c c1 22 d4 d4 ff 71 c1 c9 55 45 e5 bf 0c ff 8f ab e5 e4 f4 d7 af 7f a4 3d c0 9a 56 ff 0d e3 7f 94 f6 d0 f6 75 b5 e2 d0 b4 f2 70 f1 74 b7 b0 fa 23 4e f3 bf 4d f5 7f 57 fd 2b f8 07 8d a0 9a bb dd 9f a0 98 39 4a bb 58 78 3a 59 39 83 15 a4 45 a8 ff 70 d8 2d ed 2c 05 f9 40 3c 9c 02 40 4e 59 2e a0 14 8f 0c 17 08 24 09 02 4a 49 70 4b 71 f2 73 0b 48 80 24 81 7c ff b1 f1 3f e9 f2 4a c9 f0 80 f8 f9 80 3c 9c 5c b2 20 90 0c 9f 84 2c 27 a7 0c 1f 2f b7 14 0f b7 80 8c 14 2f d7 7f 74 15 9c 3d c0 66 ce 16 56 ff d1 b5 fb 2f 5d 5e d9 ff ab ae a0 94 bb 95 19 Data Ascii: P]/qwwwwwwIpwwnn%<&sW2^3kj^ nX(Z.-*nfbnncbr|\,V6v"W=v"z<*@W)+[;y?w+-?Um?Kj1QJaA'W'+?<G B-AN)nEf`qRrA<@.. ' 7Pl%Bo]m8@@NNN?l`36gXps8S]<"qUE=Vupt#NMW+9JXx:Y9Ep-,@<@NY.$JIpKqsH$|?J<\ ,'//t=fV/]^
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 2329Connection: keep-aliveAge: 8377Cache-Control: max-age=2592000Content-Encoding: gzipExpires: Sat, 30 Nov 2024 14:02:58 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingVia: cache64.tzmp,pic03.hnxxcmX-Bdcdn-Cache-Status: TCP_MISS,TCP_HITX-Request-Id: e0a8cd40c56b2049ae1c40b560a3bf3bX-Request-Ip: 173.254.250.77X-Response-Cache: parent_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:35 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 03 8c 54 07 54 53 69 16 7e a9 b4 a8 44 8a 48 18 89 41 01 67 0c c9 4b 21 05 01 21 21 88 a8 20 20 45 54 36 0d 89 48 02 49 20 09 03 16 50 50 10 46 40 2c d8 06 c5 86 88 6b 41 ec 8c 0a 82 e0 5a 40 44 14 75 90 32 82 8a 42 44 10 27 64 5e 38 a2 b3 7b 5c 77 ef 39 ef 9d 77 ef fd ee fd bf ef ff ff fb f4 8f f4 ed 80 8d 8f 5a 12 0d 00 7e 7e 3f 02 c6 c0 57 d3 bf 06 b0 dc 44 61 ac 06 80 01 48 c8 9f 03 85 da 11 aa 18 a5 32 9e 4d 22 49 15 2e 7c 91 4c 20 76 11 ca e2 48 6a 7e 3c 09 74 21 93 80 39 9e ea 78 be 30 56 ac c4 0b c4 2b 25 52 77 c2 db 4b 55 04 bc 44 e4 4e 08 a3 2f 24 2f 8c e7 88 63 24 f3 92 e5 e2 e0 e4 45 21 c2 e4 58 21 4b 44 f0 f4 c0 cf 51 b3 d5 71 f1 71 62 25 1f af 8e 5b 2d 55 b0 d5 ee 84 b1 e6 6c e8 db 10 26 11 f0 63 10 65 ac 3b c1 cb 90 c0 87 2f 0c c4 73 64 72 31 9e ee 42 27 0a c9 20 0d cf 60 b9 80 74 90 c6 04 67 e3 29 64 90 4a 22 53 49 20 95 08 52 d8 64 16 1b a4 e3 3f 1b 01 5a 4d 2e 8a 66 07 71 79 9f d7 82 3c 77 c2 67 51 2a 95 ca 45 45 75 91 c9 57 92 40 16 8b 45 22 53 48 14 0a 11 42 10 15 1a a9 92 af 26 4a 15 0e e3 1d b8 62 85 50 2e 89 57 4a 64 52 bc c1 e7 0b 64 89 4a 77 02 61 5c 42 5c fc c2 85 5f 1a 7f 73 b7 e2 e2 0c ba c6 d0 0a 65 90 f8 2b 8d 6f a2 15 21 9a 78 31 29 48 ac 90 25 ca 85 62 08 ee f0 b7 a5 be 5f 6a 00 42 6c d8 01 72 09 74 28 fc d5 5c 99 30 31 4e 2c 55 fa 71 dd 09 50 c6 45 24 11 b1 19 20 9d c2 22 53 78 54 32 87 ee 43 05 41 6f 90 cc f1 a2 71 28 4c 1a cb 0b f4 26 33 c6 7b 7c ab 96 49 a3 80 2c 1a 8b 41 63 51 98 20 e8 c3 f0 72 e5 91 99 64 2f 1a 85 e2 e3 e3 c3 f1 e6 8c d7 fa 49 15 4a be 54 28 1e af 95 7c ad 75 fd 6e 2d 9b 23 17 f3 95 32 79 88 4c b6 7a fc 06 04 c6 c8 94 32 45 8c 2c 1e cf e1 18 4e 9c 8e 77 0e 93 48 45 32 95 62 96 e1 88 3e b3 15 cb 25 49 62 11 4f 2e 8b c3 8f ed 31 5b f2 0d 0e 62 26 48 a3 08 05 20 91 4c 67 52 89 34 3e 83 45 64 f2 c9 02 22 2b 5a 48 16 b2 c8 64 81 ab 90 4c f8 5c 2f fa 86 fe ff b9 77 24 88 10 e9 3f 2e cd 78 08 ba 89 86 cf 2f 23 00 39 5f 86 48 2c 85 26 47 0e 8d 88 be 0f 98 38 26 1b 10 fd 06 8d 22 4c ff 04 d8 00 a0 91 48 24 0a 89 46 a1 d0 Data Ascii: TTSi~DHAgK!!! ET6HI PPF@,kAZ@Du2BD'd^8{\w9wZ~~?WDaH2M"I.|L vHj~<t!9x0V+%RwKUDN/$/c$E!X!KDQqqb%[-Ul&ce;/sdr1B' `tg)dJ"SI Rd?ZM.fqy<wgQ*EEuW@E"SHB&JbP.WJdRdJwa\B\_s
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: Byte-nginxContent-Type: image/jpegContent-Length: 8042Connection: keep-aliveAge: 8400Cache-Control: max-age=2592000Content-Encoding: gzipEtag: "59438b1e-2113"Expires: Sat, 30 Nov 2024 14:02:58 GMTLast-Modified: Fri, 16 Jun 2017 07:39:10 GMTVary: Accept-EncodingVia: cache07.jhmp03,pic03.hnxxcmX-Bdcdn-Cache-Status: TCP_MISS,TCP_HITX-Request-Id: eb3a40d660ffd02b0ab7368ee441e826X-Request-Ip: 173.254.250.77X-Response-Cache: parent_hitX-Response-Cinfo: 173.254.250.77X-Tt-Trace-Tag: id=5Date: Thu, 31 Oct 2024 16:22:58 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 76 05 54 5c cd b2 ee 10 9c 20 c1 12 24 c0 04 02 04 67 06 d7 21 d8 00 41 82 3b 04 19 24 30 0c 0c 4e 90 04 77 0b 12 20 c1 dd 9d 04 87 e0 16 34 38 04 0f ee 3e c0 23 ff 3d ff 39 f7 bd 75 de b9 b7 d6 da 7b 75 77 d5 57 fd 7d dd 55 7b ed bb a9 bb 25 00 85 8c 9b b5 05 00 20 2f cf 0a c0 01 fc cb ee 76 00 c4 d2 ce 66 36 ee 00 34 00 c6 fd 5c f4 7e 69 09 dd d5 ca c9 c9 5e 98 8b cb ce 91 d3 c4 1c 61 0a e3 34 43 c0 b9 dc 4c ec b9 40 9c dc 5c 00 51 88 9b bd 89 99 0d cc 09 68 0a b3 b4 b6 13 a3 df 6f 68 a1 07 5a 9b 8b d1 6b f3 29 71 2b d9 4b c1 ac ac e5 3c 90 30 75 0f 65 0d 33 0f 1b 33 21 73 7a 88 38 50 d4 4d d8 0d 6e 0f 87 39 99 00 dd e0 b6 76 8e c2 6e 62 f4 7f 25 17 be 1f ff 59 e6 a2 07 fe 15 e2 64 23 46 ff f2 8f 03 a8 a3 f4 1a 28 85 40 c2 80 7c 9c 7c 1c 66 dc 20 5e a0 80 10 27 88 0f c4 2b 08 62 07 82 b9 41 3c 5c dc 3c 5c 20 1e 0e 10 58 98 5b 48 18 c4 07 fc 87 d1 df ef 86 34 b7 10 56 93 96 fd c7 5e f7 33 31 fa 7f 88 72 75 75 e5 74 e5 e1 44 20 2d b9 40 42 42 42 5c dc 60 2e 30 98 e3 3e 82 c3 d1 dd ce c9 c4 8d c3 ce 91 e1 ef 0c d2 30 47 33 a4 b5 bd 93 35 c2 0e f8 67 6e 62 8a 70 76 12 a3 a7 ff 5b 02 dc 5e 49 e9 9f 89 ff ed 69 c1 e1 7f 74 fd 15 ed e8 a4 06 fb 17 8d 7f 1b ed a8 e1 6e 0f e3 52 83 39 22 9c 91 66 b0 fb 70 86 ff b6 d5 7f 86 fe 09 bc 67 23 ac 82 b4 be bf 14 13 5b 69 84 99 33 1c 66 e7 24 2f 2d 46 7f ef e1 34 b7 36 17 16 00 f1 81 85 b8 c1 b2 3c dc 52 7c 32 3c 20 90 24 88 5b ea 25 af 14 58 90 57 e8 25 48 92 5b e0 ef 1c ff 0e 2b c8 0b 06 09 f1 0a f1 f0 0a 81 05 41 20 19 81 97 fc b2 dc 82 dc 2f 79 c1 60 19 19 19 29 49 a9 bf b1 f2 76 8e 4e 26 76 66 b0 bf b1 d6 ff c2 82 ff 23 56 58 0a 09 33 71 42 20 35 10 08 db bf 2b e0 b5 15 c2 09 e1 68 85 b0 07 4a 49 fd b9 71 3e e0 0b 6d 6b 3b 73 84 ab 23 cb 9f 2b fa 07 5b 18 d2 da 05 66 2e 8b 44 c0 81 7f 9d b1 b0 f5 bf e1 00 13 04 f1 82 cd 4c 41 1c dc 7c 82 3c 1c bc 26 02 42 1c 82 26 dc a6 1c 42 16 66 dc 66 42 dc dc a6 fc 66 dc f4 ff c0 9b ff 1b fd ff e3 d9 71 dd 13 Data Ascii: vT\ $g!A;$0Nw 48>#=9u{uwW}U{% /vf64\~i^a4CL@\QhohZk)q+K<0ue33!sz8PMn9vnb%Yd#F(@||f ^'+bA<\<\ X[H4V^31ruutD -@BBB\`.0>0G35gnbpv[^IitnR9"fpg#[i3
Source: global traffic HTTP traffic detected: GET /httpsEnable.gif?t=1730391733433 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: my.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /TCaptcha.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/tcaptcha-frame.5e0f125a.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /template/drag_ele.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/dy-jy3.js HTTP/1.1Accept: */*Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/dy-ele.16bf5dd7.js HTTP/1.1Accept: */*Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.gtimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dy-jy3.js HTTP/1.1Accept: */*Referer: https://turing.captcha.qcloud.com/template/drag_ele.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: turing.captcha.qcloud.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=417&ext_1=2&ext_2=wd_37cs&ext_3=921614&ext_4=2D9765A5A2ED4CE2ADBD5F7D47905931&ext_5=dc76deab4f96ab09d9dcaf79af94e8d7&ext_6=2&browser_type=3000 HTTP/1.1User-Agent: HTTPDownloaderHost: a.clickdata.37wan.com
Source: global traffic HTTP traffic detected: GET /controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391723 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391723 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /yx/jzcq/wd_37cs/921614/app.ini HTTP/1.1User-Agent: HTTPDownloaderHost: d.wanyouxi7.com
Source: global traffic HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /controller/client.php?action=register&game_id=417&tpl_type=game2 HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: gameapp.37.comConnection: Keep-AliveCookie: PHPSESSID=r8n5i200li7ekleljhb17avtb1; sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/rem_on.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/kv-ico.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1.css?t=1730391727 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/js/client/game1.js?t=1730391727 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /2017/06/19141848xsCpC.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img2.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/lib/sq.core.js?t=20140304 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.login.js?t=20230803101600 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/reg.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/dot.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /www2015/images/common/third-logo-24.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.tab.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.statis.js HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.clientclass2.js?t=1730391727 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a.clickdata.37wan.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /www2015/images/reglog/200x42.png?v=1 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /www/css/images/common/dialog2/bg-dialog-avatar.png?v=1 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146 HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /proxy_yk.html HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: regapi.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /www/css/images/common/ico.png HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1/ HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cm.he2d.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/sq/lib/sq.core.js HTTP/1.1Accept: */*Referer: http://regapi.37.com/proxy_yk.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ptres.37.comConnection: Keep-AliveCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata= HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: cookiem.37.comCookie: sq_client_data=a%253A8%253A%257Bs%253A7%253A%2522game_id%2522%253Bs%253A3%253A%2522417%2522%253Bs%253A7%253A%2522version%2522%253Bs%253A4%253A%25223000%2522%253Bs%253A5%253A%2522refer%2522%253Bs%253A7%253A%2522wd_37cs%2522%253Bs%253A3%253A%2522uid%2522%253Bs%253A6%253A%2522921614%2522%253Bs%253A13%253A%2522showlogintype%2522%253Bs%253A1%253A%25223%2522%253Bs%253A8%253A%2522tpl_type%2522%253Bs%253A5%253A%2522game2%2522%253Bs%253A11%253A%2522installtime%2522%253Bs%253A8%253A%252220241031%2522%253Bs%253A10%253A%2522thirdlogin%2522%253Bs%253A1%253A%25221%2522%253B%257D; client_type=3
Source: global traffic HTTP traffic detected: GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=417&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=2D9765A5A2ED4CE2ADBD5F7D47905931&ext_5=dc76deab4f96ab09d9dcaf79af94e8d7&ext_6=2&browser_type=3000 HTTP/1.1User-Agent: HTTPDownloaderHost: a.clickdata.37wan.com
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/btn-log-short.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jzcq/css/client/game1/btn-reg.jpg HTTP/1.1Accept: */*Referer: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: img1.37wanimg.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: a.clickdata.37wan.com
Source: global traffic DNS traffic detected: DNS query: gameapp.37.com
Source: global traffic DNS traffic detected: DNS query: img1.37wanimg.com
Source: global traffic DNS traffic detected: DNS query: img2.37wanimg.com
Source: global traffic DNS traffic detected: DNS query: ptres.37.com
Source: global traffic DNS traffic detected: DNS query: d.wanyouxi7.com
Source: global traffic DNS traffic detected: DNS query: regapi.37.com
Source: global traffic DNS traffic detected: DNS query: my.37.com
Source: global traffic DNS traffic detected: DNS query: turing.captcha.qcloud.com
Source: global traffic DNS traffic detected: DNS query: cm.he2d.com
Source: global traffic DNS traffic detected: DNS query: cookiem.37.com
Source: global traffic DNS traffic detected: DNS query: turing.captcha.gtimg.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 16:22:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveServer: nginx/1.4.7X-Via: 1.1 dianxun233:2 (Cdn Cache Server V2.0), 1.1 dj136:6 (Cdn Cache Server V2.0), 1.1 PS-CDG-01orF60:16 (Cdn Cache Server V2.0)x-ws-request-id: 6723aeae_PSfgblPAR2dz77_28077-3410Data Raw: 61 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 34 2e 37 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a8<html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.4.7</center></body></html>0
Source: dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a.clickdata.37wan.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a.clickdata.37wan.com/0
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000081E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://a.clickdata.37wan.com/ces
Source: dqwhj_errwd.exe, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a.clickdata.37wan.com/controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=
Source: dqwhj_errwd.exe String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=c&account=%s&server_id=%s&platform=37wan&RandomTime=%s
Source: dqwhj_errwd.exe String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=m&ope=k&platform=37wan&server_id=%s&account=%s&timestamp=%s
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=m&ope=k&platform=37wan&server_id=%s&account=%s&timestamp=%sCurAcc
Source: dqwhj_errwd.exe String found in binary or memory: http://api.clogin.m2.6wtx.com/?act=m&ope=r&platform=37wan
Source: dqwhj_errwd.exe, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://api.clogin.m2.6wtx.com?act=p&platform=37wan
Source: dqwhj_errwd.exe String found in binary or memory: http://bbs.37.com/list-3829-1.html
Source: dqwhj_errwd.exe, 00000002.00000003.2102406429.000000000B108000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B108000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B10A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cm.he2d.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953530382.000000000B228000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cm.he2d.com/1/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cm.he2d.com/1/&
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cm.he2d.com/1/(
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cm.he2d.com/1/comde
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cm.he2d.com/1/dd
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cookiem.37.com/
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cookiem.37.com/sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata=
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cookiem.37.com/sys/?u=uK4jZ7lpa5IBAAAALNcr&fdata=e
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dqwhj_errwd.exe String found in binary or memory: http://d.wanyouxi7.com/37/jzcq/official/37jzcq.exe
Source: dqwhj_errwd.exe String found in binary or memory: http://d.wanyouxi7.com/37/jzcq/official/app.ini
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1691381928.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668064574.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1723271232.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1669149936.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668683718.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692162572.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692348251.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692330335.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1724369946.0000000002390000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889253533.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889292431.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, lander.ini.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.ini
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.inic
Source: dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.inio
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/app.inir
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1691381928.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668064574.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1723271232.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1669149936.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000003.1668683718.0000000004800000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692162572.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692348251.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000003.1692330335.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1724369946.0000000002390000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889253533.000000000E550000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1889292431.000000000E550000.00000004.00000800.00020000.00000000.sdmp, lander.ini.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/dqwhj_errw.exe
Source: dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://d.wanyouxi7.com/yx/jzcq/wd_37cs/921614/dqwhj_errw.exeW
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/.ZJC/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/a
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/al
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/c
Source: client[1].htm.2.dr String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#0
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#;
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#B
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#E
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000954000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#L
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000954000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#O
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#U
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#i
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#l
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2#s
Source: dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B0E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2(
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2-IX
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFD3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game21
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game22
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game23
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game23000
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game25n
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2;
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2?t
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2A
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2B
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2E
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2F)
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2H
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2K
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2MN8C
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2R
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2UN
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2X
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2_
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2ame1/dot.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2awRB2
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2d
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2dlogin=1&refer
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2eC:
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2eI
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2ef))
Source: dqwhj_errwd.exe, 00000002.00000003.1896698789.000000000B58A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869813849.000000000B588000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869677910.000000000B586000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2939218925.0000000002683000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896549007.000000000B585000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870146236.000000000B58D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869638235.000000000B585000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869890267.000000000B589000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869569951.000000000B583000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896778847.000000000B58C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896491573.000000000B582000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896808247.000000000B58D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896728000.000000000B58B000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896667533.000000000B589000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870076464.000000000B58B000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896606881.000000000B587000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869464913.000000000B580000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1870109855.000000000B58C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869534061.000000000B582000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1869980076.000000000B58A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1896636744.000000000B588000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2http://gameapp
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2i
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2l
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2mO
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2p
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2s
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2t
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2v
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614-bu
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=9216149
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614P
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614U
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&refer=wd_37cs&uid=921614p
Source: dqwhj_errwd.exe String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&ui
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1http://d.wanyouxi
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gameapp.37.com/rZ
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr String found in binary or memory: http://huodong.37.com/data/pop/app_yx_jzcqTips.xml
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37w
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/L
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D69000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000959000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=17303917237
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D6B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723C:
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723com/
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723f
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723w
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000959000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727G
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpg
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpg#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpg...
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgMicrosoft
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgc
Source: dqwhj_errwd.exe, 00000002.00000002.2968733704.000000000DC4A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102279160.000000000DC48000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102316505.000000000DC5E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DC2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpggame2&refer=wd_37cs&uid=921614
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgi
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgine-height:18px;padding-top:4px
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-log-short.jpgs
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpg
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpg8
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpgC
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpgS
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/btn-reg.jpgc
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.png6
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngF
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngj
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/dot.pngster&game_id=417&tpl_type=game2#
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.png391723
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.pngK
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/kv-ico.pngX
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpg
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpgE
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpgT
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/log.jpgyG
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/reg.jpg
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/reg.jpg8
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/reg.jpgster&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.png
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngC
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngg
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngg3
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pnggS
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem.pngl
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png.
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png723235&
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png;
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=17303917230
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=17303917233
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723C:
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723LMEM
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391723QQC:
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=17303917270
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727D
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727U
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727e
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727me_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727t
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/jzcq/js/client/game1.js?t=1730391727w
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/6D
Source: dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dial
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar-8.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar-8.png);
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1F
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1ame2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1o
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1t
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close-8.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close-8.png);
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2962649939.000000000BC80000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-close.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.png
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.png$
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.png.
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.pngM
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/ico.pngz
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/loading-48x48.gif)
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www/css/images/common/loading-48x48.gif.i
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.png
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.png#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.png1a
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/common/third-logo-24.pngi
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1F
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1W
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1me_id=417&tpl_type=game2xyiframe
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1#
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1L
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1M
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img1.37wanimg.com/www2015/images/reglog/260x42.png?v=1y
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/$
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpg
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpg4
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgPjrB
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgregister&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgt
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://img2.37wanimg.com/2017/06/19141848xsCpC.jpgvkTC
Source: dqwhj_errwd.exe String found in binary or memory: http://jzcq.37.com/
Source: dqwhj_errwd.exe String found in binary or memory: http://kf.37.com/
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://kf.37.com/http://jzcq.37.com/http://bbs.37.com/list-3829-1.htmlwd_returnlogin=1Software
Source: dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765657394.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765851841.0000000003562000.00000004.00000020.00020000.00000000.sdmp, client[1].htm.2.dr String found in binary or memory: http://my.37.com/forgetpwd/
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://my.37.com/forgetpwd/AP8B
Source: dqwhj_errwd.exe, 00000002.00000003.1870252571.000000000B590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://my.37.com/proxy.html
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr String found in binary or memory: http://my.37.com/user_agreement.html
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://my.37.com/user_agreement.htmlnt.php?action=register&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2960871026.000000000B710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.a
Source: dqwhj_errwd.exe, 00000002.00000002.2941164285.0000000003570000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.co
Source: dqwhj_errwd.exe, 00000002.00000002.2941164285.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.co:stR
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsbe.c/x7
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, uninst.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, uninst.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: dqwhj_errwd.exe String found in binary or memory: http://pay.37.com/select.php?gamename=jzcq&gameserver=%s&username=%s
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://pay.37.com/select.php?gamename=jzcq&gameserver=%s&username=%s/uninstallsucc/setupsuccRunCount
Source: dqwhj_errwd.exe String found in binary or memory: http://pt.clickdata.37wan.com/ps.gif?id=38&la=%s&gid=%s&sid=%s&e1=%s&e2=%s&e3=%d&e4=%s&e5=%s&e6=%s&e
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/XZ
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953530382.000000000B1FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js(
Source: dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=201403040k
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304Bj
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304L
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304egister&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304jkxC
Source: dqwhj_errwd.exe, 00000002.00000003.1806212560.0000000003FD4000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2436574299.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2945508827.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304p
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304xkjC
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.js?t=20140304y
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jsOR
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jsa.js...15/images/reglog/200x42.png?v=1...2;
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jsha-frame.5e0f125a.jsme_id=417&tpl_type=game2EM
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jshp?action=register&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1882032734.000000000B092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/lib/sq.core.jso
Source: dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723Kg
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723Nk
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723l2
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723lF
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391723qg
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391727
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1730391727id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000003.1765693906.0000000008D6B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102406429.000000000B086000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D39000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D69000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000090D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=
Source: dqwhj_errwd.exe, 00000002.00000002.2943953244.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146
Source: dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=173039173314607
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=17303917331462
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146ame2
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146c
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146e9);background-imag
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.dialog2015.js?t=1730391733146&_=1730391733146m#
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=202308031016001
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600B
Source: dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600P
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600R
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600S
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600T
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600me_id=417&tpl_type=game26
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765674143.0000000008D26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600t
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.login.js?t=20230803101600v
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.js
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.jsep
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.jsrp
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.statis.jstion=register&game_id=417&tpl_type=game2ogin=1
Source: dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2943953244.0000000003F38000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.js
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.js=
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.js?action=register&game_id=417&tpl_type=game2L
Source: dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000096E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jsO
Source: dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jshttp://ptres.37.com/js/sq/widget/sq.statis.js
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jsi
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ptres.37.com/js/sq/widget/sq.tab.jss
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/TQ.C
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/a
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/a4
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/ae
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1868502766.000000000B5D1000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1868388353.000000000B5D0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1866641939.000000000B5C3000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1898865420.000000000B5CE000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1868228791.000000000B5CE000.00000004.00000800.00020000.00000000.sdmp, sq.login[1].js.2.dr String found in binary or memory: http://regapi.37.com/proxy_yk.html
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B1A3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882740614.000000000B1A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.html#
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.html-ta
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.html/
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.html9
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlC:
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlM
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlQ
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlame
Source: dqwhj_errwd.exe, 00000002.00000002.2958030492.000000000B4E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlhttp://ptres.37.com/js/sq/lib/sq.core.jsh
Source: dqwhj_errwd.exe, 00000002.00000002.2972690301.000000000E3BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlhttp://regapi.37.com/proxy_yk.htmlt
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://regapi.37.com/proxy_yk.htmlient.php?action=register&game_id=417&tpl_type=game2pe=game2
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2436574299.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2945508827.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2968608108.000000000DBF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://turing.captcha.qcloud.com/
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DBF4000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2968608108.000000000DBF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://turing.captcha.qcloud.com/l
Source: dqwhj_errwd.exe, 00000002.00000003.2101296947.000000000DC6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://turing.captcha.qcloud.comC:
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725207147.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr String found in binary or memory: http://www.37.com
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102346615.000000000B19A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/-s
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq//;-webkit-tapr
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/Te
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/bQ
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/kQ
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/mp
Source: dqwhj_errwd.exe, 00000002.00000003.2102346615.000000000B19A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/ne;-webkit-tapr
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B19A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/o
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/ror
Source: dqwhj_errwd.exe, 00000002.00000003.1765118447.0000000008D16000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765851841.0000000003562000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1764840856.0000000008D44000.00000004.00000020.00020000.00000000.sdmp, client[1].htm0.2.dr, client[1].htm.2.dr String found in binary or memory: http://www.37.com/jzcq/xinwen/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20180428-2101/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20180428-2101//
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20200904-3964/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.0000000000990000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965//btn-reg.jpg;
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/9WRC
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/mlPW5C
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/20201119-3965/mlzW
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/G
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/N
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/xinwen/~
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/jzcq/z
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/notice/2021/0112/78827.html
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/notice/2021/0112/78827.html&
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.37.com/notice/2021/0112/78827.html)
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725207147.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr String found in binary or memory: http://www.37.com17512031204RTL
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725207147.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr String found in binary or memory: http://www.37.com;
Source: dqwhj_errwd.exe, 00000002.00000002.2948731273.0000000007A3D000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2948731273.0000000007A22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ca.turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000002.2967544283.000000000DABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ca.turing.captcha.qcloud.comhttps://turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000002.2972517657.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.js3
Source: dqwhj_errwd.exe, 00000002.00000002.2959133004.000000000B560000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.jsNatK
Source: dqwhj_errwd.exe, 00000002.00000002.2967324498.000000000DA96000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958484214.000000000B52F000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2041786911.000000000DA96000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2012767637.000000000DA96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cloudcache.tencentcs.com/qcloud/main/scripts/release/common/vendors/jquery-3.2.1.min.jsf
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002910000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: dqwhj_errwd.exe, 00000002.00000002.2972238558.000000000E377000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://global.turing.captcha.gtimg.com
Source: dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://global.turing.captcha.gtimg.comhttps://turing.captcha.gtimg.com/1Y
Source: dqwhj_errwd.exe, 00000002.00000002.2971897316.000000000E369000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://global.turing.captcha.gtimg.comhttps://turing.captcha.gtimg.comtarget
Source: dqwhj_errwd.exe, 00000002.00000002.2967544283.000000000DABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://global.turing.captcha.gtimg.comtencent-captcha__middle-fontsizetencent-captcha-dy__status-no
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CEE000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008CEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comt
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/2
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, sq.login[1].js.2.dr String found in binary or memory: https://my.37.com/api/login.php
Source: dqwhj_errwd.exe, 00000002.00000002.2939218925.000000000269B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/api/login.phpERROR_TYPE_FRAMEJS_CODE_ERROR
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, sq.login[1].js.2.dr String found in binary or memory: https://my.37.com/api/register.php
Source: dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/httpsEnable.gif?t=
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433
Source: dqwhj_errwd.exe, 00000002.00000003.2436833597.000000000B25C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/httpsEnable.gif?t=17303917334331
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433:hidden;width:1px;padding:1px;display:inline;zoom:1
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433_
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.37.com/httpsEnable.gif?t=1730391733433m
Source: dqwhj_errwd.exe, 00000002.00000003.2012644987.000000000DA8C000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958811416.000000000B553000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2012767637.000000000DA8E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rce.tencentrio.com
Source: dqwhj_errwd.exe, 00000002.00000002.2967324498.000000000DA8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rce.tencentrio.comA
Source: dqwhj_errwd.exe, 00000002.00000003.2041786911.000000000DA8E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rce.tencentrio.comNatK8$0
Source: dqwhj_errwd.exe, 00000002.00000002.2961497409.000000000BB6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rce.tencentrio.comt
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, sq.login[1].js.2.dr String found in binary or memory: https://regapi.37.com/api/p_register_phone.php
Source: dqwhj_errwd.exe, 00000002.00000002.2939218925.0000000002683000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://regapi.37.com/api/p_register_phone.php//regapi.37.com/code_check.php?callback=?
Source: dqwhj_errwd.exe, 00000002.00000002.2957391207.000000000B4C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://regapi.refreshImgthirdLogBtninputStatusclientTypeNamescheckCodeUrlisRenderenterGame//gameapp
Source: dqwhj_errwd.exe, 00000002.00000002.2966096684.000000000DA2A000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2039534223.000000000DA29000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013697091.000000000DA22000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013775670.000000000DA25000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2039339268.000000000DA25000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013850453.000000000DA27000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2013932735.000000000DA29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sv.aq.qq.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2972238558.000000000E377000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008CF3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B1A3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882740614.000000000B1A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2967544283.000000000DABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1
Source: dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DC2E000.00000004.00000020.00020000.00000000.sdmp, drag_ele[1].htm.2.dr String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-ele.16bf5dd7.js
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-ele.16bf5dd7.js8
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFC8000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js/template/drag_ele.html...ata=...6ww/c
Source: dqwhj_errwd.exe, 00000002.00000002.2967857693.000000000DAC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js0W
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js3
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.js7
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/dy-jy3.jsag_ele.htmlag_ele.html...tpl_type=game2N
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2940165882.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.js
Source: dqwhj_errwd.exe, 00000002.00000003.1930021748.000000000DAA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.js//ptres.37.com/js/sq/widget/sq.login.js
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsX
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsme_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsme_id=417&tpl_type=game2:inline;zoom:1
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1/tcaptcha-frame.5e0f125a.jsz
Source: dqwhj_errwd.exe, 00000002.00000002.2953286303.000000000B1A3000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102065360.000000000B1A1000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1882740614.000000000B1A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/104
Source: dqwhj_errwd.exe, 00000002.00000003.1979973185.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1930358141.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2972517657.000000000E3A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/1https://global.turing.captcha.gtimg.comhttps://ca.turing.captcha.q
Source: dqwhj_errwd.exe, 00000002.00000002.2959994308.000000000B5C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.gtimg.com/public/res/tcaptcha-icons-merge.34d219bf.png)
Source: dqwhj_errwd.exe, 00000002.00000002.2968608108.000000000DBF6000.00000004.00000020.00020000.00000000.sdmp, drag_ele[1].htm.2.dr String found in binary or memory: https://turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com///turing.captcha.qcloud.com/template/drag_ele.html...
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/FW
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2953530382.000000000B1FF000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2958484214.000000000B53D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.js
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.js-
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.jsj
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/TCaptcha.jsn
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js&
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js)
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js3
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js7/gC
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.js;/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsC:
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsO
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsbf5dd7.jsml
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsefineProperty
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsg/
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsrag_ele.htmler&game_id=417&tpl_type=game2Fs
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jsrag_ele.htmll=
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/dy-jy3.jst
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/tcapicon.eot
Source: dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000B06A000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B06A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/tcapicon.eot7
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D5B000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102316505.000000000DC5E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934946845.00000000006BD000.00000004.00000010.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2102099738.000000000DC2E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000B090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html##
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#D8FFFFFF
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#c
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html#s
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html...
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html/6
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.00000000008ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html172727IE5
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.html2
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlC
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlS
Source: dqwhj_errwd.exe, 00000002.00000002.2934946845.00000000006BD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlW
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2938942824.0000000002575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2er=wd_37cs&uid=
Source: dqwhj_errwd.exe, 00000002.00000002.2951536662.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.2101339616.000000000AFEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmler&game_id=417&tpl_type=game2pe=game2
Source: dqwhj_errwd.exe, 00000002.00000002.2967857693.000000000DAC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmlhttps://turing.captcha.qcloud.com/template/d
Source: dqwhj_errwd.exe, 00000002.00000002.2968549608.000000000DBE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.com/template/drag_ele.htmll
Source: dqwhj_errwd.exe, 00000002.00000002.2971897316.000000000E369000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.comNatKH$8
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.comTCaptcha.js.js?t=1730391733146&_=1730391733146..2c
Source: dqwhj_errwd.exe, 00000002.00000003.1978756747.000000000E369000.00000004.00000800.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2971897316.000000000E369000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.comhttps://turing.captcha.qcloud.com
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.comtemplate/drag_ele.htmler&game_id=417&tpl_type=game2Z
Source: dqwhj_errwd.exe, 00000002.00000002.2961100661.000000000BB43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://turing.captcha.qcloud.comx
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown HTTPS traffic detected: 180.188.25.9:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.154.254.89:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 60.221.17.65:443 -> 192.168.2.4:49761 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405042

System Summary
barindex
PE file has a writeable .text section
Source: FindProcDLL.dll.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00483070: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, 1_2_00483070
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00462F20 1_2_00462F20
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A41C2 1_2_004A41C2
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00482250 1_2_00482250
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004643F0 1_2_004643F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004AA415 1_2_004AA415
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00486560 1_2_00486560
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0048A7F0 1_2_0048A7F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00464870 1_2_00464870
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0046CA50 1_2_0046CA50
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A0A6F 1_2_004A0A6F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00492B70 1_2_00492B70
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A8CAF 1_2_004A8CAF
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A4EAA 1_2_004A4EAA
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A0F44 1_2_004A0F44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00499117 1_2_00499117
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A91F3 1_2_004A91F3
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0046F370 1_2_0046F370
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A1318 1_2_004A1318
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00455570 1_2_00455570
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00481510 1_2_00481510
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0049D71E 1_2_0049D71E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A1724 1_2_004A1724
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A9737 1_2_004A9737
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0046D9F0 1_2_0046D9F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00479A60 1_2_00479A60
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A1B44 1_2_004A1B44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0047FD00 1_2_0047FD00
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00455F40 1_2_00455F40
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00479A60 2_2_00479A60
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A41C2 2_2_004A41C2
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00482250 2_2_00482250
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004643F0 2_2_004643F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004AA415 2_2_004AA415
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00486560 2_2_00486560
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0048A7F0 2_2_0048A7F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00464870 2_2_00464870
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0046CA50 2_2_0046CA50
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A0A6F 2_2_004A0A6F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00492B70 2_2_00492B70
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A8CAF 2_2_004A8CAF
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A4EAA 2_2_004A4EAA
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A0F44 2_2_004A0F44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00462F20 2_2_00462F20
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00499117 2_2_00499117
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A91F3 2_2_004A91F3
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0046F370 2_2_0046F370
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A1318 2_2_004A1318
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00455570 2_2_00455570
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00481510 2_2_00481510
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0049D71E 2_2_0049D71E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A1724 2_2_004A1724
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A9737 2_2_004A9737
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0046D9F0 2_2_0046D9F0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A1B44 2_2_004A1B44
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0047FD00 2_2_0047FD00
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00455F40 2_2_00455F40
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: String function: 0049AA11 appears 32 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: String function: 00490890 appears 38 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: String function: 00481000 appears 36 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: String function: 00457360 appears 99 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: String function: 00495E80 appears 120 times
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: String function: 00498B0A appears 60 times
Searches for the Microsoft Outlook file path
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal84.evad.winEXE@5/48@12/9
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0046C9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 1_2_0046C9B0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0046C9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle, 2_2_0046C9B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00480F30 RegOpenKeyExW,CreateToolhelp32Snapshot,_memset,Process32FirstW,Process32NextW,CloseHandle, 1_2_00480F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0045E050 LoadResource,LockResource,SizeofResource, 1_2_0045E050
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\mk-jzcq Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Local\Temp\nsv2F3B.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Command line argument: 37Lander 1_2_004697C0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Command line argument: 37Lander 2_2_004697C0
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe "C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: windowscodecsext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dxtrans.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: atl.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ddrawex.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ddraw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dciman32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dxtmsft.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: .lnk.0.dr LNK file: ..\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe
Source: .lnk0.0.dr LNK file: ..\..\..\..\..\..\mk-jzcq\dqwhj_errwd.exe
Source: .lnk.0.dr LNK file: ..\..\..\..\..\..\mk-jzcq\uninst.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File written: C:\Users\user\AppData\Roaming\mk-jzcq\lander.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.FileRepMalware.6479.21607.exe Static file information: File size 1647950 > 1048576
Source: Binary string: \Bin\lander.pdbX G source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\lander.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000026E9000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe.0.dr, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\iconTips.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\iconAnimate.pdb source: SecuriteInfo.com.FileRepMalware.6479.21607.exe, 00000000.00000002.1725819778.0000000002890000.00000004.00000020.00020000.00000000.sdmp, nsv2F3C.tmp.0.dr
Source: Binary string: \Bin\lander.pdbX L source: dqwhj_errwd.exe, 00000001.00000000.1691701850.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000001.00000002.1722241929.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000002.2934068778.00000000004B1000.00000002.00000001.01000000.00000008.sdmp, dqwhj_errwd.exe, 00000002.00000000.1723459271.00000000004B1000.00000002.00000001.01000000.00000008.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00496616 push ecx; ret 1_2_00496629
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00495EC5 push ecx; ret 1_2_00495ED8
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004925D3 push dword ptr [ecx-75h]; iretd 2_2_004925DF
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00496616 push ecx; ret 2_2_00496629
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_00495EC5 push ecx; ret 2_2_00495ED8
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0BC044D6 push esi; ret 2_2_0BC044D8
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0BC095EE push 6803580Bh; iretd 2_2_0BC095F5
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0BC08CB0 push 6803580Bh; iretd 2_2_0BC08CB5
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0BC09217 push 6803580Bh; iretd 2_2_0BC0921C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E558A65 push 6803580Bh; retf 0002h 2_2_0E558A6A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E5546D4 push edx; iretd 2_2_0E5546DA
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E5546E6 push edx; iretd 2_2_0E5546EC
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E5520BE push 00000078h; iretd 2_2_0E5520C4
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E55474B push ecx; iretd 2_2_0E55474C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E554773 push ecx; iretd 2_2_0E554774
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E554734 push ecx; iretd 2_2_0E55473A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E5547DB push ecx; iretd 2_2_0E5547E1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E5547F2 push ecx; iretd 2_2_0E5547F3
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0E5547BA push ecx; iretd 2_2_0E5547C0

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 1_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 1_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 1_2_00483509
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_00483509
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll Jump to dropped file

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 1_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 1_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 1_2_00483509
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: DeviceIoControl,_memset,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_00483070
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_004834E0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: CreateFileW,_memset,DeviceIoControl,DeviceIoControl,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_00483509
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ \ .lnk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37 \ \ .lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004799A0 IsIconic,ShowWindow,ShowWindow,ShowWindow,SetWindowPos,SetForegroundWindow, 1_2_004799A0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004799A0 IsIconic,ShowWindow,ShowWindow,ShowWindow,SetWindowPos,SetForegroundWindow, 2_2_004799A0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: 3F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: 2730000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: 28D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: 28D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B1C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B3C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B440000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B4A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B500000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B5A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BB80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BBE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BC20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BC40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BBA0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BE60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: BE80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: 4670000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: A9C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: A9E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: B2C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: DBC0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: D8A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: D920000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: D960000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: D9C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: DA40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E330000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E3D0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E410000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E430000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: D8E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: D900000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: DA00000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: DFE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E000000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E020000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E060000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E080000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E0A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E1A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E1C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E1E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E200000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E240000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E260000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E280000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E2A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E2C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E590000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E5F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E6B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E710000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E730000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E750000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E770000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E790000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E7B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E810000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E830000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: E850000 memory commit | memory reserve | memory write watch Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo, 1_2_0047F940
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo, 2_2_0047F940
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Window / User API: foregroundWindowGot 1719 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mk-jzcq\uninst.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa2FF8.tmp\FindProcDLL.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe API coverage: 9.7 %
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe File opened: PhysicalDrive0 Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0046CA50 GetLocalTime followed by cmp: cmp ax, cx and CTI: jnc 0046CE0Fh 1_2_0046CA50
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0046CA50 GetLocalTime followed by cmp: cmp ax, cx and CTI: jnc 0046CE0Fh 2_2_0046CA50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00490B2A VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect, 1_2_00490B2A
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000084E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@`
Source: dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWQH
Source: dqwhj_errwd.exe, 00000002.00000002.2936160262.000000000096E000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765140292.000000000097D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000087D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnH&
Source: dqwhj_errwd.exe, 00000001.00000002.1722527337.000000000087D000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000002.2949357373.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, dqwhj_errwd.exe, 00000002.00000003.1765034680.0000000008D01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0049089B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0049089B
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00490B2A VirtualProtect ?,-00000001,00000104,? 1_2_00490B2A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004AA16A CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_004AA16A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0049662A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0049662A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0049089B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0049089B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0048F4C0 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0048F4C0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_0049160D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0049160D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A5EA9 SetUnhandledExceptionFilter, 1_2_004A5EA9
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0049662A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0049662A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0049089B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0049089B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0048F4C0 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0048F4C0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_0049160D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0049160D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 2_2_004A5EA9 SetUnhandledExceptionFilter, 2_2_004A5EA9
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Memory allocated: page read and write | page guard Jump to behavior
Source: nsv2F3C.tmp.0.dr Binary or memory string: @Program ManagerProgmanSHELLDLL_DefViewSysListView32WorkerWGetNativeSystemInfokernel32.dllSeDebugPrivilege
Source: nsv2F3C.tmp.0.dr Binary or memory string: @]>&apos;&quot;&gt;&lt;&amp;</PRE><PRE>--><!--><!DOCTYPE]]><![CDATA[rbProgram ManagerProgmanSHELLDLL_DefViewSysListView32WorkerWGetNativeSystemInfokernel32.dllSeDebugPrivilege
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 1_2_004A0325
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA, 1_2_004A640C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_004A043C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 1_2_004A04D4
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_004A0548
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_004A071A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_004A07DB
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_004A0842
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 1_2_004A087E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 1_2_00496B75
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 1_2_0049F47D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA, 1_2_0049750F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_0049F60B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 1_2_0049FC79
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 1_2_004A7DE0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 1_2_004A7E14
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 1_2_0049FED1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_004A7F53
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_004A0325
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA, 2_2_004A640C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_004A043C
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_004A04D4
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_004A0548
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_004A071A
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_004A07DB
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_004A0842
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 2_2_004A087E
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_00496B75
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 2_2_0049F47D
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoA, 2_2_0049750F
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_0049F60B
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 2_2_0049FC79
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 2_2_004A7DE0
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 2_2_004A7E14
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 2_2_0049FED1
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_004A7F53
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_004A6237 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_004A6237
Source: C:\Users\user\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe Code function: 1_2_00499CF9 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 1_2_00499CF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6479.21607.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405B88
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546265 Sample: SecuriteInfo.com.FileRepMal... Startdate: 31/10/2024 Architecture: WINDOWS Score: 84 24 turing.captcha.qcloud.com 2->24 26 turing.captcha.gtimg.com.cdn.dnsv1.com.cn 2->26 28 20 other IPs or domains 2->28 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for dropped file 2->42 44 PE file has a writeable .text section 2->44 7 SecuriteInfo.com.FileRepMalware.6479.21607.exe 6 34 2->7         started        signatures3 process4 file5 16 C:\Users\user\AppData\Roaming\...\uninst.exe, PE32 7->16 dropped 18 C:\Users\user\AppData\...\dqwhj_errwd.exe, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\FindProcDLL.dll, PE32 7->22 dropped 10 dqwhj_errwd.exe 14 7->10         started        14 dqwhj_errwd.exe 3 58 7->14         started        process6 dnsIp7 30 a.clickdata.37wan.com 159.75.141.43, 49730, 49748, 80 TELE2EU China 10->30 46 Antivirus detection for dropped file 10->46 48 Multi AV Scanner detection for dropped file 10->48 50 Machine Learning detection for dropped file 10->50 52 Contains functionality to infect the boot sector 10->52 32 d.wanyouxi7.com.wscdns.com 163.171.133.72, 49738, 80 QUANTILNETWORKSUS European Union 14->32 34 ins-taraok4w.ias.tencent-cloud.net 43.154.254.89, 443, 49751, 49760 LILLY-ASUS Japan 14->34 36 6 other IPs or domains 14->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
139.9.125.189
 p2019.q1qfc323.com China
55990 HWCSNETHuaweiCloudServicedatacenterCN false
193.112.116.230
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
60.221.17.65
 1z8kxno0.sched.sma-dk.tdnsstic1.cn China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
183.204.211.166
 unknown China
24445 CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN false
111.6.1.212
 sx-img-all.volcgtm.com China
24445 CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN false
163.171.133.72
 d.wanyouxi7.com.wscdns.com European Union
54994 QUANTILNETWORKSUS false
159.75.141.43
 a.clickdata.37wan.com China
1257 TELE2EU false
180.188.25.9
 regapi.37.com China
136190 CHINATELECOM-ZHEJIANG-JINHUA-IDCJINHUAZHEJIANGProvince false
43.154.254.89
 ins-taraok4w.ias.tencent-cloud.net Japan 4249 LILLY-ASUS false

Contacted Domains

Name IP Active
d.wanyouxi7.com.wscdns.com 163.171.133.72 true
regapi.37.com 180.188.25.9 true
1z8kxno0.sched.sma-dk.tdnsstic1.cn 60.221.17.65 true
ins-taraok4w.ias.tencent-cloud.net 43.154.254.89 true
gameapp.37.com 180.188.25.9 true
a.clickdata.37wan.com 159.75.141.43 true
my.37.com 180.188.25.9 true
p2019.q1qfc323.com 139.9.125.189 true
sx-img-all.volcgtm.com 111.6.1.212 true
img2.37wanimg.com unknown unknown
img1.37wanimg.com unknown unknown
turing.captcha.qcloud.com unknown unknown
turing.captcha.gtimg.com unknown unknown
cookiem.37.com unknown unknown
d.wanyouxi7.com unknown unknown
cm.he2d.com unknown unknown
ptres.37.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://a.clickdata.37wan.com/controller/istat.controller.php?platform=37wan&item=u3tfl5ftfl&game_id=417&sid=&position=1&ext_1=4&ext_2=wd_37cs&ext_3=921614&ext_4=&ext_5=gy&ext_6=&login_account=&browser_type=&user_ip=&refer=wd_37cs&uid=921614&page=4&t=1730391732770 false
    		unknown
    http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391727 false
      		unknown
      http://img1.37wanimg.com/jzcq/css/client/game1.css?t=1730391723 false
        		unknown
        http://img1.37wanimg.com/www2015/images/reglog/200x42.png?v=1 false
          		unknown
          http://img1.37wanimg.com/jzcq/css/client/game1/rem_on.png false
            		unknown
            https://turing.captcha.qcloud.com/TCaptcha.js false
              		unknown
              http://img1.37wanimg.com/www/css/images/common/dialog2/bg-dialog-avatar.png?v=1 false
                		unknown
                http://gameapp.37.com/controller/client.php?action=register&game_id=417&tpl_type=game2 false
                  		unknown
                  https://turing.captcha.qcloud.com/template/drag_ele.html false
                    		unknown
                    http://gameapp.37.com/controller/client.php?game_id=417&tpl_type=game2&thirdlogin=1&refer=wd_37cs&uid=921614&version=3000&installtime=20241031&runcount=1&curtime=20241031122201&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1 false
                      		unknown
                      http://img1.37wanimg.com/www2015/images/common/third-logo-24.png false
                        		unknown