File name:

dqhj_eqqw.exe

Full analysis: https://app.any.run/tasks/4ca77319-1ae4-401d-b747-b3df369bfb9a
Verdict: Malicious activity
Analysis date: December 06, 2022, 04:06:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

AD01EC1430C0B7FCBA0FC5D0B419D2ED

SHA1:

49E90ABAAE6AA26FBBCCE958CA24044D0C17F329

SHA256:

62018FB4CAF35E5849EC75A3797008F678E5DAF48B486031AFC59B88D91E09A9

SSDEEP:

49152:2l/NEdAGDAfnSwglT5htj5a35mAwqDgPU:U8AGDMzglT5njMc4j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • dqhj_eqqwd.exe (PID: 3056)

    • Loads dropped or rewritten executable

      • dqhj_eqqw.exe (PID: 3140)
      • dqhj_eqqwd.exe (PID: 3056)
      • dqhj_eqqwd.exe (PID: 1528)

    • Application was dropped or rewritten from another process

      • dqhj_eqqwd.exe (PID: 1528)
      • dqhj_eqqwd.exe (PID: 3056)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • dqhj_eqqwd.exe (PID: 1528)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • dqhj_eqqw.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2016-Apr-02 03:20:09
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: 上海三七玩网络科技有限公司
FileDescription: 灭神 install
FileVersion: 3.0.0.0
LegalCopyright: 上海三七玩网络科技有限公司
ProductName: 灭神
ProductVersion: 3.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 200

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2016-Apr-02 03:20:09
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23668
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41039
.rdata
28672
4502
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.20374
.data
36864
110680
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.13053
.ndata
151552
65536
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
217088
189728
189952
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.89167

Resources

Title
Entropy
Size
Codepage
Language
Type
1
7.99215
156644
UNKNOWN
English - United States
RT_ICON
2
6.65828
16936
UNKNOWN
English - United States
RT_ICON
3
6.87943
9640
UNKNOWN
English - United States
RT_ICON
4
6.44871
1128
UNKNOWN
English - United States
RT_ICON
102
2.63447
160
UNKNOWN
English - United States
RT_DIALOG
103
2.68436
62
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.60821
260
UNKNOWN
English - United States
RT_DIALOG
105
2.62576
492
UNKNOWN
English - United States
RT_DIALOG
106
2.86626
228
UNKNOWN
English - United States
RT_DIALOG
110
2.82633
1638
UNKNOWN
English - United States
RT_BITMAP

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start dqhj_eqqw.exe dqhj_eqqwd.exe dqhj_eqqwd.exe dqhj_eqqw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1528"C:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe" /autorun /setuprunC:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe
dqhj_eqqw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\syol\dqhj_eqqwd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
1580"C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exe" C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exeExplorer.EXE
User:
admin
Company:
上海三七玩网络科技有限公司
Integrity Level:
MEDIUM
Description:
灭神 install
Exit code:
3221226540
Version:
3.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\dqhj_eqqw.exe
3056"C:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe" /setupsuccC:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe
dqhj_eqqw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\syol\dqhj_eqqwd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
3140"C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exe" C:\Users\admin\AppData\Local\Temp\dqhj_eqqw.exe
Explorer.EXE
User:
admin
Company:
上海三七玩网络科技有限公司
Integrity Level:
HIGH
Description:
灭神 install
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\dqhj_eqqw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
Total events
6 194
Read events
6 108
Write events
85
Delete events
1

Modification events

(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:DisplayName
Value:
ÃðÉñ
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:UninstallString
Value:
C:\Users\admin\AppData\Roaming\syol\uninst.exe
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exe
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:DisplayVersion
Value:
3.0.0.0
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:URLInfoAbout
Value:
http://www.37.com/
(PID) Process:(3140) dqhj_eqqw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃðÉñ
Operation:writeName:Publisher
Value:
ÉϺ£ÈýÆßÍæÍøÂç¿Æ¼¼ÓÐÏÞ¹«Ë¾
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3056) dqhj_eqqwd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
5
Suspicious files
10
Text files
51
Unknown types
5

Dropped files

PID
Process
Filename
Type
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\syol\uninst.exeexecutable
MD5:
SHA256:
3140dqhj_eqqw.exeC:\Users\admin\AppData\Local\Temp\nsvFD42.tmpbinary
MD5:
SHA256:
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\37ÓÎÏ·ÖÐÐÄ\ÃðÉñ\жÔØÃðÉñ.lnklnk
MD5:
SHA256:
1528dqhj_eqqwd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\game[1].jshtml
MD5:
SHA256:
3140dqhj_eqqw.exeC:\Users\admin\Desktop\ÃðÉñ.lnklnk
MD5:
SHA256:
1528dqhj_eqqwd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\client[1].htmhtml
MD5:
SHA256:
1528dqhj_eqqwd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\sq.login[1].jshtml
MD5:
SHA256:
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\syol\dqhj_eqqwd.exeexecutable
MD5:
SHA256:
3140dqhj_eqqw.exeC:\Users\admin\AppData\Local\Temp\nslFD53.tmp\System.dllexecutable
MD5:56A321BD011112EC5D8A32B2F6FD3231
SHA256:BB6DF93369B498EAA638B0BCDC4BB89F45E9B02CA12D28BCEDF4629EA7F5E0F1
3140dqhj_eqqw.exeC:\Users\admin\AppData\Roaming\syol\config.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
29
DNS requests
14
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1528
dqhj_eqqwd.exe
GET
163.171.132.119:80
http://ptres.37.com/js/sq/widget/sq.clientclass2.js?t=1670299621
US
whitelisted
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://ptres.37.com/js/sq/widget/sq.login.js?t=20211123172316
US
html
12.5 Kb
whitelisted
1528
dqhj_eqqwd.exe
GET
200
163.171.128.148:80
http://img2.37wanimg.com/2019/04/16181600wKssp.jpg
US
image
58.8 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/js/client/game.js?t=1670299621
US
html
2.08 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
120.77.146.101:80
http://gameapp.37.com/controller/client.php?game_id=537&tpl_type=game&refer=wd_feitian&uid=913449&version=3000&installtime=20221206&runcount=1&curtime=20221206040657&showlogintype=3&regtimes=1&pagetype=1&thirdlogin=1
CN
html
3.38 Kb
unknown
1528
dqhj_eqqwd.exe
GET
200
120.77.146.101:80
http://gameapp.37.com/controller/client.php?action=register&game_id=537&tpl_type=game
CN
html
3.58 Kb
unknown
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/css/client/game/btn-log.png
US
image
30.1 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/css/client/game.css?t=1670299656
US
text
4.59 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/css/client/game/btn-to-log.png
US
image
1.14 Kb
malicious
1528
dqhj_eqqwd.exe
GET
200
163.171.132.119:80
http://img1.37wanimg.com/syol/css/client/game/kv-a.png
US
image
1.07 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3056
dqhj_eqqwd.exe
159.75.141.43:80
a.clickdata.37wan.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1528
dqhj_eqqwd.exe
120.77.146.101:80
gameapp.37.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1528
dqhj_eqqwd.exe
163.171.128.148:80
img1.37wanimg.com
QUANTILNETWORKS
DE
malicious
1528
dqhj_eqqwd.exe
163.171.132.119:80
img1.37wanimg.com
QUANTILNETWORKS
DE
malicious
1528
dqhj_eqqwd.exe
159.75.141.43:80
a.clickdata.37wan.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1528
dqhj_eqqwd.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
1528
dqhj_eqqwd.exe
106.55.175.231:443
regapi.37.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1528
dqhj_eqqwd.exe
139.9.125.189:80
cm.he2d.com
Huawei Cloud Service data center
CN
unknown
1528
dqhj_eqqwd.exe
193.112.116.230:80
cm.he2d.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1528
dqhj_eqqwd.exe
39.108.132.57:443
my.37.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown

DNS requests

Domain
IP
Reputation
a.clickdata.37wan.com
  • 159.75.141.43
  • 106.55.79.146
malicious
gameapp.37.com
  • 120.77.146.101
  • 81.71.82.218
  • 106.53.131.76
unknown
img1.37wanimg.com
  • 163.171.132.119
  • 163.171.128.148
malicious
img2.37wanimg.com
  • 163.171.128.148
  • 163.171.132.119
malicious
ptres.37.com
  • 163.171.132.119
  • 163.171.128.148
whitelisted
d.wanyouxi7.com
  • 163.171.128.148
  • 163.171.132.119
malicious
regapi.37.com
  • 106.55.175.231
  • 39.108.147.122
  • 81.71.21.194
unknown
my.37.com
  • 39.108.132.57
  • 42.194.153.154
  • 81.71.10.131
suspicious
cm.he2d.com
  • 193.112.116.230
  • 139.9.125.189
suspicious
cookiem.37.com
  • 139.9.125.189
  • 193.112.116.230
suspicious

Threats

Found threats are available for the paid subscriptions
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dqhj_eqqw.exe