popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sdly_taskpop61.exe

Emotet Gen1 Anti_VM GIF Format PE64 MSOffice File PNG Format PE File OS Processor Check PE32 JPEG Format DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 14, 2021, 8:15 p.m. June 14, 2021, 8:35 p.m.
Size 3.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 bc7522c569863c07247effeed6adda85
SHA256 1704f37b457e8947b989c130dc603c67d5d1d1166e2a3138698610d3f2d0bbfc
CRC32 44109D7C
ssdeep 98304:l1wpL+zIIQn5PEdqRj0auF2QzjumyCzEpqS:Tw4d85PEuj0GQuZQzS
PDB Path D:\box\WdGameBox\Release\LiteGameBox2.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
cdn-ssl-wan.ludashi.com
A 115.238.192.240
A 115.238.192.241
A 115.238.192.239
A 115.238.192.242
A 115.238.192.238
A 115.238.192.248
A 115.238.192.243
A 115.238.192.244
CNAME cdn-ssl-wan.ludashi.com.m.alikunlun.com
115.238.192.242
wan.ludashi.com
A 139.129.105.182
139.129.105.182
cdn-wan.ludashi.com
A 122.225.67.190
A 122.225.67.170
A 122.225.67.191
A 122.225.67.192
A 122.225.67.193
CNAME cdn-wan.ludashi.com.w.kunlunle.com
A 122.225.67.189
A 122.225.67.179
A 122.225.67.180
122.225.67.192
cdn-file-ssl-wan.ludashi.com
A 115.238.192.240
A 115.238.192.241
CNAME cdn-file-ssl-wan.ludashi.com.m.alikunlun.com
A 115.238.192.242
A 115.238.192.238
A 115.238.192.248
A 115.238.192.243
A 115.238.192.244
A 115.238.192.239
115.238.192.241
cdn-file-ssl-pc.ludashi.com
CNAME cdn-file-ssl-pc.ludashi.com.m.alikunlun.com
A 183.136.197.100
183.136.197.99
i.ludashi.com
A 120.27.82.56
120.27.82.56
cdn-file.ludashi.com
A 58.218.203.244
A 58.218.203.248
A 58.218.203.242
A 58.218.203.243
A 58.218.203.240
A 58.218.203.241
CNAME cdn-file.ludashi.com.m.alikunlun.net
A 58.218.203.239
A 58.218.203.238
115.223.31.227
s.ludashi.com
A 106.15.139.117
A 47.117.76.201
139.224.193.172
IP Address Status Action
106.15.139.117 Active Moloch
115.238.192.238 Active Moloch
115.238.192.244 Active Moloch
120.27.82.56 Active Moloch
122.225.67.193 Active Moloch
139.129.105.182 Active Moloch
164.124.101.2 Active Moloch
183.136.197.100 Active Moloch
47.117.76.201 Active Moloch
58.218.203.239 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 115.238.192.244:80 -> 192.168.56.101:49199 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 183.136.197.100:80 -> 192.168.56.101:49206 2014819 ET INFO Packed Executable Download Misc activity
TCP 183.136.197.100:80 -> 192.168.56.101:49206 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 183.136.197.100:80 -> 192.168.56.101:49206 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.101:49225 -> 115.238.192.238:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49225
115.238.192.238:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018 CN=*.ludashi.com de:bb:03:64:46:22:7a:b6:88:99:ca:90:fc:d7:1b:f7:af:40:25:e3

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\box\WdGameBox\Release\LiteGameBox2.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name FILERES
resource name ZIPRES
request GET http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll
request GET http://s.ludashi.com/wan?type=weiduan&action=install&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=8ffeb14d433dcc0c2b98a3cf2716c5f4&from=taskpop_sdly&forcetick=2950015
request GET http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=31673de8d494f02142e1edb517399942&from=taskpop_sdly&forcetick=2950062
request GET http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=faf774bde5506632e0936450a2b05bac&from=taskpop_sdly&forcetick=2950062
request GET http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=222806ca1968aee2104845ac0bb1e961&from=taskpop_sdly&forcetick=2950546
request GET http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106142055
request GET http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=c8bafc2df3f18850e666c570733e30ee&from=taskpop_sdly&forcetick=2964062
request GET http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106142055
request GET http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=1eb066f8aee684651bb6886e75ddddec&from=taskpop_sdly&forcetick=2966453
request GET http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=90fc48554d411fc4bdbd8c4cba5dcac7&from=taskpop_sdly&forcetick=2966703
request GET http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=29e0f6a694aea37940ed2c0d91f5f3c5&from=taskpop_sdly&forcetick=2966750
request GET http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=bda3e2d3873bc6b8751a06ecfa64faa6&from=taskpop_sdly&forcetick=2971046
request GET http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=76d90940607a4e1fc8c4e780c107c434&from=taskpop_sdly&forcetick=2971046
request GET http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=9816a49d782b4cc6abf68cd3e4f25e57&from=taskpop_sdly&forcetick=2976109
request GET http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=9326e042414b37b0a465d68435568572&from=taskpop_sdly&forcetick=2976109
request GET http://wan.ludashi.com/micro/sdly/index_lds.html?channel=taskpop&from=taskpop_wd_sdly
request GET http://s.ludashi.com/wan?type=weiduan&action=run&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=bb1adc4f55a84cf7c0830a76e4cfec69&from=taskpop_sdly&forcetick=2978593
request GET http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=a77a4190d391498058b650400ce279b4&from=taskpop_sdly&forcetick=2979031
request GET http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=taskpop&mid=fa7bb520099706f4d9615c3663eacc55&mid2=c2a9b458c8eb84d52f3369329facb48b9ff9f7ac2b54&uid=d&appver=&modver=3.2.5.61&sign=5ecbfcbcece4eea0291ea4146880caf7&from=taskpop_sdly&forcetick=2979031
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/upload.jpg
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/main.css
request GET http://cdn-file.ludashi.com/assets/jquery/jquery183.js
request GET http://cdn-file.ludashi.com/assets/sea/sea.js
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/bg.jpg
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/nav.png
request GET http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/news-bg.png
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/log_btn.png
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/reg.jpg?t=20200105
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_reg_act.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_reg_pwd.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_reg_code.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/checkbox.png
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/third_qq.png
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/third_weixin.png
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/login_tit.png
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_log_act.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_log_pwd.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/input_log_code.png?t=20191021
request POST http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18308462895474002294_1623672818021
request GET http://s.ludashi.com/wan?type=accurate&action=t0&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly&timestamp=1623672819149&ex_ary[guid]=
request GET http://wan.ludashi.com/announce/list?callback=jQuery18308462895474002294_1623672818022&type=2&gid=sdly&skip=0&num=5&_=1623672819146
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/cir.png
request GET http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18308462895474002294_1623672818022&_=1623672819545
request GET http://s.ludashi.com/wan?type=accurate&action=t1&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly&timestamp=1623672829177&ex_ary[guid]=
request GET http://s.ludashi.com/wan?type=accurate&action=t2&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly&timestamp=1623672849175&ex_ary[guid]=
request GET http://cdn-file.ludashi.com/wan/micro/sdly/assets_lds/v1/log_btn_h.png
request GET http://s.ludashi.com/wan?type=accurate&action=t3&channel=taskpop&from=taskpop_wd_sdly&mid=fa7bb520099706f4d9615c3663eacc55&appver=3.2.5.61&uid=0&game=sdly&timestamp=1623672879174&ex_ary[guid]=
request GET https://cdn-ssl-wan.ludashi.com/assets/superjs/pageMicro.js?v=20210527
request GET https://cdn-ssl-wan.ludashi.com/assets/superjs/modules/commonTool.js?v=20210527
request POST http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18308462895474002294_1623672818021
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72862000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72862000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13556924416
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13556531200
free_bytes_available: 13556531200
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
regkey .*360Safe
name FILERES language LANG_CHINESE filetype ASCII text sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016fc48 size 0x000004d2
name FILERES language LANG_CHINESE filetype ASCII text sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016fc48 size 0x000004d2
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00335ec8 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00335ec8 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00335ec8 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00335ec8 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00335ec8 size 0x00032633
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c4d4 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c4d4 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c4d4 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c4d4 size 0x00000468
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c9a4 size 0x00000022
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c9a4 size 0x00000022
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c9a4 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036c9c8 size 0x0000003e
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0036ca08 size 0x000001e4
file C:\Users\test22\AppData\Local\Temp\{A8E6BFB4-FD85-44c1-868E-C1CA4845E741}.tmp\CefRes.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\7z.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\神的领域\神的领域.lnk
file C:\Users\test22\AppData\Roaming\WdGame\NetBridge.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\pageMicro[1].js
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\sea[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_43.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\commonLoginApi[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libcef.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\jquery183[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libEGL.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\widevinecdmadapter.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_47.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\commonTool[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libGLESv2.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\pepflashplayer.dll
file C:\Users\test22\Desktop\神的领域.lnk
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\config[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\wow_helper.exe
file C:\Users\test22\AppData\Local\Temp\WdGame_sdly\NetBridge.dll
file C:\Users\test22\AppData\Roaming\WdGame\sdly\神的领域.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\test22\AppData\Roaming\WdGame\sdly\神的领域.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\神的领域\神的领域.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\Users\test22\Desktop\神的领域.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\神的领域\神的领域.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_43.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\widevinecdmadapter.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libcef.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libGLESv2.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\7z.dll
file C:\Users\test22\AppData\Roaming\WdGame\NetBridge.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_47.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\pepflashplayer.dll
file C:\Users\test22\AppData\Local\Temp\{A8E6BFB4-FD85-44c1-868E-C1CA4845E741}.tmp\CefRes.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libEGL.dll
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Server: Tengine Content-Type: application/octet-stream Content-Length: 1113400 Connection: keep-alive Date: Mon, 14 Jun 2021 07:51:44 GMT x-oss-request-id: 60C70A90A89BDA35305E6C0A x-oss-cdn-auth: success Accept-Ranges: bytes ETag: "C4AA6D9E72A1721B3F65646E04E702CF" Last-Modified: Thu, 17 Dec 2020 05:40:22 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3096456683339413985 x-oss-storage-class: Standard Content-MD5: xKptnnKhchs/ZWRuBOcCzw== x-oss-server-time: 27 Via: cache29.l2cn2628[0,1,304-0,H], cache39.l2cn2628[3,0], vcache32.cn2038[0,0,200-0,H], vcache35.cn2038[2,0] Ali-Swift-Global-Savetime: 1615174726 Age: 13283 X-Cache: HIT TCP_MEM_HIT dirn:11:446403638 X-Swift-SaveTime: Mon, 14 Jun 2021 09:51:01 GMT X-Swift-CacheTime: 10800 Access-Control-Allow-Origin: * Timing-Allow-Origin: * EagleId: 73eec0b716236703879546736e MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¹øñiý™Ÿ:ý™Ÿ:ý™Ÿ:ôá
received: 1024
socket: 1280
1 1024 0
section {u'size_of_data': u'0x00239000', u'virtual_address': u'0x00134000', u'entropy': 7.958031485910173, u'name': u'.rsrc', u'virtual_size': u'0x00238f24'} entropy 7.95803148591 description A section with a high entropy has been found
entropy 0.642574816488 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WdGame_sdly
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0003001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WdGame_sdly
2 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\sdly_taskpop61.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\sdly.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\sdly.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\sdly.exe
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000154
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000154
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 2954240 ()
device_handle: 0x00000154
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036
1 1 0
process sdly_taskpop61.exe useragent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process sdly_taskpop61.exe useragent
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_extensions.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\id.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ml.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\zh-CN.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\fi.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\pt-PT.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\uk.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\fil.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\sk.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\vi.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\am.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\en-US.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\pt-BR.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ta.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\de.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ro.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\natives_blob.bin
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\lv.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_resources.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_200_percent.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\gu.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\en-GB.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\cs.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\hr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\sr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ru.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\pl.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\mr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ja.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ms.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\th.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_100_percent.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\nl.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\zh-TW.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\da.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\nb.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\he.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\hu.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ca.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\bn.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\lt.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\tr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\fr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\te.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\et.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\sl.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\snapshot_blob.bin
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\it.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\bg.pak
MicroWorld-eScan Gen:Variant.Doina.15467
CAT-QuickHeal Trojan.Doina
McAfee Artemis!BC7522C56986
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
Sangfor Trojan.Win32.PSE.1K4L0HE
Arcabit Trojan.Doina.D3C6B
Symantec ML.Attribute.HighConfidence
APEX Malicious
ClamAV Win.Malware.Fsysna-9760418-0
BitDefender Gen:Variant.Doina.15467
Paloalto generic.ml
TrendMicro TROJ_FRS.VSNTF521
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.mg.bc7522c569863c07
Emsisoft Gen:Variant.Doina.15467 (B)
AegisLab Trojan.Win32.Generic.4!c
GData Win32.Trojan.PSE.1K4L0HE
Cynet Malicious (score: 100)
TrendMicro-HouseCall TROJ_FRS.VSNTF521
Rising Adware.Agent!1.CFEB (CLASSIC)
Fortinet W32/Johnnie.3159!tr
MaxSecure Trojan.Malware.118875318.susgen
Panda Trj/Genetic.gen