popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

scbybttprepush528.exe

Emotet Gen1 Anti_VM GIF Format PE64 MSOffice File PNG Format PE File OS Processor Check PE32 JPEG Format DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 15, 2021, 10:27 a.m. June 15, 2021, 10:37 a.m.
Size 4.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5f32ab11399c7596889739620f178464
SHA256 5e8f1d5b44cff748ac52b4e8b945dd34e8d2b5ae6659076af594ff9bfde45109
CRC32 56DC6949
ssdeep 98304:H1wpL+TIIen5P3dipbX9DZhshMK0L7gVQzjumyCzEpqu:Vw49u5P3KblZhY4wQuZQzu
PDB Path D:\box\WdGameBox\Release\LiteGameBox2.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
cdn-ssl-wan.ludashi.com
A 115.238.192.240
A 115.238.192.241
A 115.238.192.239
A 115.238.192.242
A 115.238.192.238
A 115.238.192.248
A 115.238.192.243
A 115.238.192.244
CNAME cdn-ssl-wan.ludashi.com.m.alikunlun.com
115.238.192.238
wan.ludashi.com
A 139.129.105.182
139.129.105.182
cdn-wan.ludashi.com
A 183.146.18.241
A 115.220.8.210
A 183.146.18.240
A 183.146.18.238
A 183.146.18.243
A 183.146.18.239
A 183.146.18.242
A 58.215.157.209
A 183.146.18.248
CNAME cdn-wan.ludashi.com.w.kunlunle.com
A 122.224.49.208
A 122.225.67.180
A 58.216.17.181
A 183.146.18.244
122.225.67.192
cdn-file-ssl-wan.ludashi.com
A 115.238.192.240
A 115.238.192.241
CNAME cdn-file-ssl-wan.ludashi.com.m.alikunlun.com
A 115.238.192.242
A 115.238.192.238
A 115.238.192.248
A 115.238.192.243
A 115.238.192.244
A 115.238.192.239
115.238.192.239
cdn-file-ssl-pc.ludashi.com
A 180.163.122.226
A 180.163.122.228
A 180.163.122.230
A 180.163.122.229
A 180.163.122.224
A 180.163.122.225
A 180.163.122.231
CNAME cdn-file-ssl-pc.ludashi.com.m.alikunlun.com
A 180.163.122.227
180.163.122.228
i.ludashi.com
A 120.27.82.56
120.27.82.56
cdn-file.ludashi.com
A 101.227.25.230
A 101.227.25.210
A 101.227.25.231
A 101.227.25.209
A 101.227.25.211
A 101.227.25.212
A 101.227.25.229
CNAME cdn-file.ludashi.com.m.alikunlun.net
A 101.227.25.228
101.227.25.212
s.ludashi.com
A 47.117.78.230
A 114.115.214.33
114.115.221.211
IP Address Status Action
101.227.25.210 Active Moloch
114.115.214.33 Active Moloch
115.238.192.239 Active Moloch
115.238.192.248 Active Moloch
120.27.82.56 Active Moloch
122.225.67.180 Active Moloch
139.129.105.182 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
180.163.122.224 Active Moloch
47.117.78.230 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 180.163.122.224:80 -> 192.168.56.102:49813 2014819 ET INFO Packed Executable Download Misc activity
TCP 115.238.192.239:80 -> 192.168.56.102:49808 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 180.163.122.224:80 -> 192.168.56.102:49813 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 180.163.122.224:80 -> 192.168.56.102:49813 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.102:49835 -> 115.238.192.248:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49835
115.238.192.248:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL RSA CA 2018 CN=*.ludashi.com de:bb:03:64:46:22:7a:b6:88:99:ca:90:fc:d7:1b:f7:af:40:25:e3

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\box\WdGameBox\Release\LiteGameBox2.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name FILERES
resource name ZIPRES
request GET http://s.ludashi.com/wan?type=weiduan&action=install&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3198fe798dd9371f1a1b673d412602e1&from=tp_scbybt&forcetick=38266125
request GET http://cdn-file-ssl-wan.ludashi.com/wan/wan/7z.dll
request GET http://s.ludashi.com/wan?type=weiduan&action=7z_noexist&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b66114296225ca89357975808c8201b6&from=tp_scbybt&forcetick=38266187
request GET http://s.ludashi.com/wan?type=weiduan&action=7z_download_start&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=2a1a43be6e7fcdbeaec42ddf0f59f465&from=tp_scbybt&forcetick=38266187
request GET http://s.ludashi.com/wan?type=weiduan&action=7z_download_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=76aa7ce20c8482e4d2b27579e9a19d03&from=tp_scbybt&forcetick=38267031
request GET http://cdn-file-ssl-pc.ludashi.com/pc/cef/CefRes.dll?t=202106151647
request GET http://s.ludashi.com/wan?type=weiduan&action=res_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=0351e7d49752fc50b3d45b851d5c1ecb&from=tp_scbybt&forcetick=38277546
request GET http://cdn-file-ssl-wan.ludashi.com/pc/game/flash/pepflashplayer.7z?t=202106151648
request GET http://s.ludashi.com/wan?type=weiduan&action=pepflash_down_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=826d4532b60a11f8167a6de2a2ebb3b4&from=tp_scbybt&forcetick=38280015
request GET http://s.ludashi.com/wan?type=weiduan&action=add_uninst_item&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=04827975d3650ab9d840f338a616b9f7&from=tp_scbybt&forcetick=38280281
request GET http://s.ludashi.com/wan?type=weiduan&action=add_desk_icon&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=b0ea6c10aa2f9f8637adaf8dca6545cc&from=tp_scbybt&forcetick=38280328
request GET http://s.ludashi.com/wan?type=weiduan&action=install_extra&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e55055547e8d2a8cd6a58b02d78635ef&from=tp_scbybt&forcetick=38284656
request GET http://s.ludashi.com/wan?type=weiduan&action=inst_open&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=d9da2c7d1d42abeeb954adc866e09c16&from=tp_scbybt&forcetick=38284656
request GET http://s.ludashi.com/wan?type=weiduan&action=wd_install_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=3c8bbce5d85ff18952d12d4d3f3c0fbb&from=tp_scbybt&forcetick=38289750
request GET http://s.ludashi.com/wan?type=weiduan&action=inst_succ&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=451727ea8e9bb803e49df4ef62ea6542&from=tp_scbybt&forcetick=38289750
request GET http://wan.ludashi.com/micro/cqbz/index_lds.html?channel=tp&from=tp_repush_wd_cqbz_528
request GET http://s.ludashi.com/wan?type=weiduan&action=run&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=e9a12aa16e6ff34eb8e20e934148f43d&from=tp_scbybt&forcetick=38293062
request GET http://s.ludashi.com/wan?type=weiduan&action=wd_show_success&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=8b4326d365a719ea3d64e7e755a4de6d&from=tp_scbybt&forcetick=38294421
request GET http://s.ludashi.com/wan?type=weiduan&action=main_show&channel=tp&mid=6d265a9f1396f919574a9f73e7d7fa5d&mid2=f56088de10f508450c772dfdc290e24fb765fb882b68&uid=d&appver=&modver=5.3.125.462&sign=360b234ed2d7c7100458a3db8cec87d4&from=tp_scbybt&forcetick=38294421
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/upload.jpg
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/main.css?t=20210323
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/bg.jpg
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/news-bg.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/log_btn.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/reg.jpg?t=20200105
request GET http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20210527
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_right.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav01.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/hovers.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav03.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav04.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_pwd.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_code.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/checkbox.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_qq.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/third_weixin.png
request GET http://cdn-file.ludashi.com/assets/jquery/jquery183.js
request GET http://cdn-file.ludashi.com/assets/sea/sea.js
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/button_left.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/nav02.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_act.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/line.png
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_pwd.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_reg_act.png?t=20191021
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/input_log_code.png?t=20191021
request POST http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18304274775074992668_1623743310671
request GET http://wan.ludashi.com/announce/list?callback=jQuery18304274775074992668_1623743310672&type=2&gid=cqbz&skip=0&num=5&_=1623743312955
request GET http://s.ludashi.com/wan?type=accurate&action=t0&channel=tp&from=tp_repush_wd_cqbz_528&mid=6d265a9f1396f919574a9f73e7d7fa5d&appver=5.3.125.462&uid=0&game=cqbz&timestamp=1623743312959&ex_ary[guid]=
request GET http://cdn-file.ludashi.com/wan/micro/cqbz/assets_lds/cir.png
request GET http://i.ludashi.com/ajax/gettoken?user_from=youxi&callback=jQuery18304274775074992668_1623743310671&_=1623743313409
request POST http://wan.ludashi.com/api/CheckGameStatus?callback=jQuery18304274775074992668_1623743310671
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04512000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04513000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04515000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04516000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04517000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04518000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04519000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04519000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04519000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04519000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04519000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0451b000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13099872256
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13098196992
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
regkey .*360Safe
name FILERES language LANG_CHINESE filetype ASCII text sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016fc48 size 0x000004e1
name FILERES language LANG_CHINESE filetype ASCII text sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0016fc48 size 0x000004e1
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004321b0 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004321b0 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004321b0 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004321b0 size 0x00032633
name ZIPRES language LANG_CHINESE filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004321b0 size 0x00032633
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004687bc size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004687bc size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004687bc size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004687bc size 0x00000468
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00468c88 size 0x00000022
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00468c88 size 0x00000022
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00468c88 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00468cac size 0x0000003e
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00468cec size 0x000001e0
file C:\Users\test22\AppData\Roaming\WdGame\scbybt\沙城霸业BT.lnk
file C:\Users\test22\AppData\Local\Temp\{F6D41D1D-CDC4-4221-9769-8B15A651D2AD}.tmp\CefRes.dll
file C:\Users\test22\AppData\Local\Temp\WdGame_scbybt\NetBridge.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\commonTool[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_43.dll
file C:\Users\test22\AppData\Roaming\WdGame\NetBridge.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\sea[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libcef.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_47.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libEGL.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\jquery183[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\widevinecdmadapter.dll
file C:\Users\test22\Desktop\沙城霸业BT.lnk
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\pageMicro[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libGLESv2.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\pepflashplayer.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\config[1].js
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\wow_helper.exe
file C:\Users\test22\AppData\Roaming\WdGame\Utils\7z.dll
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\沙城霸业BT\沙城霸业BT.lnk
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\commonLoginApi[1].js
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\Users\test22\AppData\Roaming\WdGame\scbybt\沙城霸业BT.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\沙城霸业BT\沙城霸业BT.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\Users\test22\Desktop\沙城霸业BT.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\沙城霸业BT\沙城霸业BT.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_43.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\widevinecdmadapter.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libcef.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libGLESv2.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\7z.dll
file C:\Users\test22\AppData\Roaming\WdGame\NetBridge.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\d3dcompiler_47.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\pepflashplayer.dll
file C:\Users\test22\AppData\Local\Temp\{F6D41D1D-CDC4-4221-9769-8B15A651D2AD}.tmp\CefRes.dll
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\libEGL.dll
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 8724
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x04510000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Server: Tengine Content-Type: application/octet-stream Content-Length: 1113400 Connection: keep-alive Date: Mon, 14 Jun 2021 22:33:34 GMT x-oss-request-id: 60C7D93EB86D5D373487884D x-oss-cdn-auth: success Accept-Ranges: bytes ETag: "C4AA6D9E72A1721B3F65646E04E702CF" Last-Modified: Thu, 17 Dec 2020 05:40:22 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3096456683339413985 x-oss-storage-class: Standard Content-MD5: xKptnnKhchs/ZWRuBOcCzw== x-oss-server-time: 27 Via: cache29.l2cn2628[0,1,304-0,H], cache31.l2cn2628[3,0], vcache32.cn2038[0,0,200-0,H], vcache26.cn2038[1,0] Ali-Swift-Global-Savetime: 1615174726 Age: 10894 X-Cache: HIT TCP_MEM_HIT dirn:11:231412164 X-Swift-SaveTime: Mon, 14 Jun 2021 22:58:56 GMT X-Swift-CacheTime: 10800 Access-Control-Allow-Origin: * Timing-Allow-Origin: * EagleId: 73eec0ae16237209088381720e MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $¹øñiý™Ÿ:ý™Ÿ:ý™Ÿ:ôá
received: 1024
socket: 1296
1 1024 0

recv

 buffer: HTTP/1.1 200 OK Server: Tengine Content-Type: application/octet-stream Content-Length: 25402696 Connection: keep-alive Date: Tue, 15 Jun 2021 01:35:09 GMT x-oss-request-id: 60C803CD77D457363006B21C x-oss-cdn-auth: success Accept-Ranges: bytes ETag: "0BD4F927300726072F1AA50BF08CB175-5" Last-Modified: Tue, 03 Dec 2019 08:17:34 GMT x-oss-object-type: Multipart x-oss-hash-crc64ecma: 17829016985417600697 x-oss-storage-class: Standard x-oss-server-time: 2 Ali-Swift-Global-Savetime: 1623720909 Via: cache23.l2cn1809[37,36,200-0,M], cache46.l2cn1809[39,0], cache46.l2cn1809[39,0], cache3.cn1997[65,64,200-0,M], cache3.cn1997[67,0] X-Cache: MISS TCP_MISS dirn:-2:-2 X-Swift-SaveTime: Tue, 15 Jun 2021 01:35:09 GMT X-Swift-CacheTime: 2592000 Timing-Allow-Origin: * EagleId: b4a37a1716237209096943730e MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $*>ñn_ŸPn_ŸPn_ŸPÚÃnPd_ŸPÚÃlP_ŸPÚÃmPv_ŸP<7›Q~_ŸP<7œQ|_ŸP<7šQp_ŸPg' Pc_ŸPn_žP
received: 1024
socket: 1352
1 1024 0
section {u'size_of_data': u'0x00335400', u'virtual_address': u'0x00134000', u'entropy': 7.976780740302854, u'name': u'.rsrc', u'virtual_size': u'0x00335204'} entropy 7.9767807403 description A section with a high entropy has been found
entropy 0.721819380356 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WdGame_scbybt
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0003001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WdGame_scbybt
2 0
host 172.217.25.14
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\scbybt.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\scbybt.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\scbybttprepush528.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\scbybt.exe
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000154
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000154
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 2954240 ()
device_handle: 0x00000154
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036
1 1 0
MicroWorld-eScan Gen:Variant.Johnnie.340876
McAfee Artemis!5F32AB11399C
Arcabit Trojan.Johnnie.D5338C
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Fsysna-9760418-0
BitDefender Gen:Variant.Johnnie.340876
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.mg.5f32ab11399c7596
Emsisoft Gen:Variant.Johnnie.340876 (B)
Webroot W32.Malware.Gen
AegisLab Trojan.Win32.Johnnie.4!c
GData Win32.Trojan.PSE.1K4L0HE
Cynet Malicious (score: 100)
MAX malware (ai score=81)
Rising Adware.Agent!1.CFEB (CLASSIC)
Fortinet W32/Johnnie.3159!tr
Panda Trj/Genetic.gen
process scbybttprepush528.exe useragent Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process scbybttprepush528.exe useragent
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_extensions.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\id.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ml.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\zh-CN.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\fi.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\pt-PT.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\uk.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\fil.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\sk.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\vi.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\am.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\en-US.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\pt-BR.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ta.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\de.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ro.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\natives_blob.bin
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\lv.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_resources.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_200_percent.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\gu.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\en-GB.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\cs.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\hr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\sr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ru.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\pl.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\mr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ja.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ms.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\th.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\cef_100_percent.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\nl.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\zh-TW.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\da.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\nb.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\he.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\hu.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\ca.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\bn.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\lt.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\tr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\fr.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\te.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\et.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\sl.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\snapshot_blob.bin
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\it.pak
file C:\Users\test22\AppData\Roaming\WdGame\Utils\cef\locales\bg.pak