77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307

Analysis

max time kernel
221s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Size

428KB
MD5

c0bce7ecfebcaf6ae4d0767ebb79c5da
SHA1

b6c9f0653a086513679f743bb5b6001973956cf2
SHA256

77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307
SHA512

375d7b9468cd41ed0699596bf86d3e468b64b8c89d357ce70e56958688f07ee19d367ab59d44f3a838fd47c4e1add8effe70e02c9ef9eed8616596832afc2c63
SSDEEP

12288:ZQVTzThv858payUIp803022g5NDwcJ2CrKBr3jr9HB:8uy30NgLDLGBrzrNB

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exeWnUmanlike.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

Executes dropped EXE 7 IoCs

Processes:

WNSoftSer.exeWnUmanlike.exeWnUmanlike.exeWnUmanlike.exeWnFSUpd.exeWnSoftManager.exeWnSoftManager.exe

pid process

4580 WNSoftSer.exe
2412 WnUmanlike.exe
1776 WnUmanlike.exe
2284 WnUmanlike.exe
4380 WnFSUpd.exe
4084 WnSoftManager.exe
1524 WnSoftManager.exe

pid	process
4580	WNSoftSer.exe
2412	WnUmanlike.exe
1776	WnUmanlike.exe
2284	WnUmanlike.exe
4380	WnFSUpd.exe
4084	WnSoftManager.exe
1524	WnSoftManager.exe

Registers COM server for autorun 1 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exeWnUmanlike.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ = "C:\\Windows\\system32\\WnAcelein64.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ThreadingModel = "Apartment"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Restreful\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\Restreful\\WnSvdarme.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

Loads dropped DLL 3 IoCs

Processes:

svchost.exeWnSoftManager.exeWnSoftManager.exe

pid process

456 svchost.exe
4084 WnSoftManager.exe
1524 WnSoftManager.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
456	svchost.exe
4084	WnSoftManager.exe
1524	WnSoftManager.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeWnSoftManager.exe照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\	WnSoftManager.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	WnSoftManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\	svchost.exe

Drops file in System32 directory 20 IoCs

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exeWNSoftSer.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\WnAcelein.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FFA6E45777C6CE08CA96D0E3CFF29477	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	WNSoftSer.exe
File created	C:\Windows\system32\WnAcelein64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	WNSoftSer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\7f70110c47e5[1].bae	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FFA6E45777C6CE08CA96D0E3CFF29477	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FFA6E45777C6CE08CA96D0E3CFF29477	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FFA6E45777C6CE08CA96D0E3CFF29477	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\a30666352098[1].bae	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\xst[1].abf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	WNSoftSer.exe

Drops file in Program Files directory 64 IoCs

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exeWnUmanlike.exe

description	ioc	process
File created	C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini	WnUmanlike.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\update.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\normal.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wndr.cat	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wke.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wndr.cat	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\normal.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\update.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\update.ico	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

Processes:

WnSoftManager.exeWnSoftManager.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WnSoftManager.exe = "11000"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WnSoftManager.exe = "11000"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	WnSoftManager.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

WNSoftSer.exesvchost.exeWnUmanlike.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WNSoftSer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\WanNengSoftManager\WNGJAppInfo\CfgPath = "C:\\Users\\Admin\\AppData\\LocalLow\\WanNengSoftManager\\"	WnUmanlike.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WNSoftSer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WNSoftSer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WNSoftSer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WanNengSoftManager\WNGJAppInfo	WnUmanlike.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\WanNengSoftManager\WNGJAppInfo\UsrPath = "C:\\Users\\Admin\\AppData\\LocalLow\\WanNengSoftManager.user\\"	WnUmanlike.exe

Modifies registry class 64 IoCs

Processes:

WnUmanlike.exe照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win32	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WanNengSoftManager\\"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\CloudSoftManagershExt\ = "{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ProgID	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\0	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\VersionIndependentProgID\ = "CloudSoftManagerOverlayIcon.MyCloudSoftManagerOverlayIcon"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Programmable	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ProgID\ = "CloudSoftManagerOverlayIcon.MyCloudSoftManagerOverlayIcon.1"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Programmable	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WanNengSoftManager\\"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\CloudSoftManagershExt	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Version	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Version\ = "1.0"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\TypeLib\ = "{AF513021-FF0F-40FD-8BF0-711EA843DD9F}"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\0\win32	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\HELPDIR	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ = "MyCloudSoftManagerOverlayIcon Class"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\VersionIndependentProgID\ = "CloudSoftManagerOverlayIcon.MyCloudSoftManagerOverlayIcon"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\CloudSoftManagershExt\ = "{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\FLAGS\ = "0"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\TypeLib	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win64	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WanNengSoftManager	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ProgID	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\Programmable	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win64\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\FLAGS	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\ = "CloudSoftManagershExt Class"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ = "C:\\Windows\\SysWow64\\WnAcelein64.dll"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Version	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win32	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

pid	process
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4888 powershell.exe

pid	process
648

description	pid	process
Token: SeDebugPrivilege	4888	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

照片查重去重软件(VisiPics) v1.31中文版_018_42122.exeWNSoftSer.exe

description	pid	process	target process
PID 372 wrote to memory of 4888	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	powershell.exe
PID 372 wrote to memory of 4888	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	powershell.exe
PID 372 wrote to memory of 4888	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	powershell.exe
PID 4580 wrote to memory of 2412	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 2412	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 2412	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 1776	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 1776	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 1776	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 2284	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 2284	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 2284	4580	WNSoftSer.exe	WnUmanlike.exe
PID 4580 wrote to memory of 4380	4580	WNSoftSer.exe	WnFSUpd.exe
PID 4580 wrote to memory of 4380	4580	WNSoftSer.exe	WnFSUpd.exe
PID 4580 wrote to memory of 4380	4580	WNSoftSer.exe	WnFSUpd.exe
PID 372 wrote to memory of 4084	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	WnSoftManager.exe
PID 372 wrote to memory of 4084	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	WnSoftManager.exe
PID 372 wrote to memory of 4084	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	WnSoftManager.exe
PID 372 wrote to memory of 1524	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	WnSoftManager.exe
PID 372 wrote to memory of 1524	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	WnSoftManager.exe
PID 372 wrote to memory of 1524	372	照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe	WnSoftManager.exe

C:\Users\Admin\AppData\Local\Temp\照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe
"C:\Users\Admin\AppData\Local\Temp\照片查重去重软件(VisiPics) v1.31中文版_018_42122.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Sets DLL path for service in the registry
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe" 5d6c7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  PID:4084
- C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe" 5d6c7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  PID:1524

C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe
"C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe" 05e
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 0b2 --9fa1=0
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 133 --9fa1=0
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:1776
- C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe" d1d
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 535
  2⤵
  - Executes dropped EXE
  PID:2284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Picnicter -s Restreful
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini

Filesize
194B

MD5
8169df157e5aaa7814e19e4a312a8e6e

SHA1
9250c428993ae78da6f578af6ee968d632f14b32

SHA256
d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812

SHA512
6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1

Download Submit
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini

Filesize
194B

MD5
8169df157e5aaa7814e19e4a312a8e6e

SHA1
9250c428993ae78da6f578af6ee968d632f14b32

SHA256
d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812

SHA512
6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe

Filesize
2.2MB

MD5
784478e4e492533304ff2eefc987bcce

SHA1
3747d2b39c787bfb2c99ed4eda8e0cb122313afe

SHA256
6f859580f5935d05905ced4a83ff6ad7d4f1708dc4844714f3d8e8937ec0c029

SHA512
86fcb8af920fe0b757dd96d8503b69c8cb8c543abfba374d404bf0dc6a95214d8f24be7d03cb00e1199c47e0f7981bdea511179d2a8c722c248747101091b830

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe

Filesize
2.2MB

MD5
784478e4e492533304ff2eefc987bcce

SHA1
3747d2b39c787bfb2c99ed4eda8e0cb122313afe

SHA256
6f859580f5935d05905ced4a83ff6ad7d4f1708dc4844714f3d8e8937ec0c029

SHA512
86fcb8af920fe0b757dd96d8503b69c8cb8c543abfba374d404bf0dc6a95214d8f24be7d03cb00e1199c47e0f7981bdea511179d2a8c722c248747101091b830

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
216B

MD5
7a66033ec15ca3c743f84f05b1b47682

SHA1
36b7e775a98203e2e6884a8f9df3c8fd6d6c5b5a

SHA256
f75dbda9be46d13b7fc1f2c5ac1cf4e3b7f8f310c87fcab11d9a80932744bd33

SHA512
eeaa1999ef435ef672bb3f5f66f5d4211c186ef42adabe7eeb34fa5e155dd53a1566748388105e4c519a4abfbd078f317d9dba91b41feceb8909116450235735

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
282B

MD5
53ea8c756776a53e84072adfcc394d64

SHA1
afe9948f0f65dded8af8df764b3c7efa843140f7

SHA256
58bc6445987b78805dfb59569b3c5538da70d236eead6663747bfdaba22f288d

SHA512
babb701b98e5a6fd03c383e1cc5e1c2f6d64b014ab08d69bc0c710fa551a363b0a1efc4e62ce6eb101cb2b70677d3e91936c9203c244e8c06fb53f02f35b95d8

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
282B

MD5
53ea8c756776a53e84072adfcc394d64

SHA1
afe9948f0f65dded8af8df764b3c7efa843140f7

SHA256
58bc6445987b78805dfb59569b3c5538da70d236eead6663747bfdaba22f288d

SHA512
babb701b98e5a6fd03c383e1cc5e1c2f6d64b014ab08d69bc0c710fa551a363b0a1efc4e62ce6eb101cb2b70677d3e91936c9203c244e8c06fb53f02f35b95d8

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.3MB

MD5
abcade080b90bfff8480d3c19299d6ef

SHA1
28ce4f0bc106ad7197c7347e5a3f4975f54c8843

SHA256
e707c901ee0898862445d3274a92e06c8b3558bd712a6c7a37fcfa436c8fee54

SHA512
cd328e0e8bf17972ae92a470553fce643fdd2312d45a044e80767831ce2433dff75e66c1318a7fc9b75f1cb7be07f4bb56ec87766ea04f50a89ccadba09c7a0b

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.3MB

MD5
abcade080b90bfff8480d3c19299d6ef

SHA1
28ce4f0bc106ad7197c7347e5a3f4975f54c8843

SHA256
e707c901ee0898862445d3274a92e06c8b3558bd712a6c7a37fcfa436c8fee54

SHA512
cd328e0e8bf17972ae92a470553fce643fdd2312d45a044e80767831ce2433dff75e66c1318a7fc9b75f1cb7be07f4bb56ec87766ea04f50a89ccadba09c7a0b

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
be5e70eb8323ad81f67eae0bcadf37b7

SHA1
675711f6bff27068503472acdd78ac2570cbc515

SHA256
59f35741e20b2944f6f55ef732adebb06fe1ca2771fb9fffaeb6e56943b3bdb9

SHA512
e3c57cbbebe9d77a1f0e15a5864d002bc3c70c62a1ed33e0db1ecefef18a3831a8c9cc3b30f014c74e66b35f163f114ea6435e5b7474300855a92aeb9e67bed0

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
be5e70eb8323ad81f67eae0bcadf37b7

SHA1
675711f6bff27068503472acdd78ac2570cbc515

SHA256
59f35741e20b2944f6f55ef732adebb06fe1ca2771fb9fffaeb6e56943b3bdb9

SHA512
e3c57cbbebe9d77a1f0e15a5864d002bc3c70c62a1ed33e0db1ecefef18a3831a8c9cc3b30f014c74e66b35f163f114ea6435e5b7474300855a92aeb9e67bed0

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.6MB

MD5
81dc21c734602ca9b9e4e086f19d9ee0

SHA1
269a928d70022e5388efeb30c3cefb39b2f1ab52

SHA256
551537503f89d58ab32e991b128e4a323306f6df2462a31de833813f0a7ec614

SHA512
a56d9bc449f59752a938b42d7423d45b6811534e8a38dc177e46f578ba275e160918dcc5881f5a0633bc905f0e44752546f6fc277b88c120b779d060e5146862

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.6MB

MD5
81dc21c734602ca9b9e4e086f19d9ee0

SHA1
269a928d70022e5388efeb30c3cefb39b2f1ab52

SHA256
551537503f89d58ab32e991b128e4a323306f6df2462a31de833813f0a7ec614

SHA512
a56d9bc449f59752a938b42d7423d45b6811534e8a38dc177e46f578ba275e160918dcc5881f5a0633bc905f0e44752546f6fc277b88c120b779d060e5146862

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.6MB

MD5
81dc21c734602ca9b9e4e086f19d9ee0

SHA1
269a928d70022e5388efeb30c3cefb39b2f1ab52

SHA256
551537503f89d58ab32e991b128e4a323306f6df2462a31de833813f0a7ec614

SHA512
a56d9bc449f59752a938b42d7423d45b6811534e8a38dc177e46f578ba275e160918dcc5881f5a0633bc905f0e44752546f6fc277b88c120b779d060e5146862

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.6MB

MD5
81dc21c734602ca9b9e4e086f19d9ee0

SHA1
269a928d70022e5388efeb30c3cefb39b2f1ab52

SHA256
551537503f89d58ab32e991b128e4a323306f6df2462a31de833813f0a7ec614

SHA512
a56d9bc449f59752a938b42d7423d45b6811534e8a38dc177e46f578ba275e160918dcc5881f5a0633bc905f0e44752546f6fc277b88c120b779d060e5146862

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
2f168e79442731d29813727c37277b73

SHA1
2e7ea5a3e50bb2439f2a332ee26e2c447ed0d56c

SHA256
53aa5fbe2464996f462592a9ba28af5952cb7a436e35932c005a11b75cde85c9

SHA512
51807548a73f2a0f99c94f6a5db17168ac8053bfe99a01e97f54ee2d21d366bd436ff8f6a2b641a849d348ae9ffead4f33c9f63a9ba683013c0a51bb1b7f2e4c

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
2f168e79442731d29813727c37277b73

SHA1
2e7ea5a3e50bb2439f2a332ee26e2c447ed0d56c

SHA256
53aa5fbe2464996f462592a9ba28af5952cb7a436e35932c005a11b75cde85c9

SHA512
51807548a73f2a0f99c94f6a5db17168ac8053bfe99a01e97f54ee2d21d366bd436ff8f6a2b641a849d348ae9ffead4f33c9f63a9ba683013c0a51bb1b7f2e4c

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
2f168e79442731d29813727c37277b73

SHA1
2e7ea5a3e50bb2439f2a332ee26e2c447ed0d56c

SHA256
53aa5fbe2464996f462592a9ba28af5952cb7a436e35932c005a11b75cde85c9

SHA512
51807548a73f2a0f99c94f6a5db17168ac8053bfe99a01e97f54ee2d21d366bd436ff8f6a2b641a849d348ae9ffead4f33c9f63a9ba683013c0a51bb1b7f2e4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
471B

MD5
438d2b95bff76a4aca6e3c59eb6a5382

SHA1
33e970e4152550f3c222a57f782828fecaff5a0a

SHA256
6769b7b999e28b61e233371c8a0ed1f8e8520c6a02347124eb167c5c0a7b10a8

SHA512
e6666c54bce6c5f2e127884313a010a91230b2ebc86a47d994e83dc7ed276329d3783bda97f0e573f3de8c499dd407e231e955892c6a52790c4715975164a5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FFA6E45777C6CE08CA96D0E3CFF29477

Filesize
471B

MD5
5ba190d7308ad2a6846536be7973d093

SHA1
e603159b2da20467f4576436bc7e0eea54ad4d92

SHA256
d5632e3b43673d4335791240538e5ae3b43daf1881dafcb59a5ae748061773b6

SHA512
f6a5526c76129bbe876a002abdffc28c755572f710885911d07fb1ffe65c8bcc5c1a43b53692bf92d708c2f88c97d2a1f6486a11d3fc5b309dc1b89279dcb38b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
434B

MD5
847b4a9115ba8deb4c08ea53c1accbfe

SHA1
fbedc8db577d4bbd5c427b0c17ad45f42a502ccd

SHA256
3732d4a933c24d3c951807db838f01d5f1a67d936433d231b08548b036950f09

SHA512
320c91c5ef8f7f2cb3b053a3bd6e10b52d7c464e9baafe606f1eb6a851c2fd7fe25dce7413aa3d5e16e926076aa7201247d1ec04ed26242bb67580cf64e90cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
434B

MD5
847b4a9115ba8deb4c08ea53c1accbfe

SHA1
fbedc8db577d4bbd5c427b0c17ad45f42a502ccd

SHA256
3732d4a933c24d3c951807db838f01d5f1a67d936433d231b08548b036950f09

SHA512
320c91c5ef8f7f2cb3b053a3bd6e10b52d7c464e9baafe606f1eb6a851c2fd7fe25dce7413aa3d5e16e926076aa7201247d1ec04ed26242bb67580cf64e90cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FFA6E45777C6CE08CA96D0E3CFF29477

Filesize
426B

MD5
356a84f1388ea66b30c62018c6968a20

SHA1
9cf7be634834d534ba631206d319e209916fe439

SHA256
3344085d5e1decd16d8425fd70815fa51c139263a24e454243f372c6acae608f

SHA512
eeb06dd29cf3fffb747017db3bd7cde7901cd3b286ed3154bc8bb0f251fdfc2a612f8eb1d023aea1b19097ab6ccf12fef5ac881ac16de03556ddc4e1d2321c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
439B

MD5
7fecc9a65d4f7c107c2be3c3a388863d

SHA1
84650843902c571f8fd1eb574c31ed2f37fa70fc

SHA256
0cec47645164cc81612a99838eb50bb3e5f3331df18d6a2175d34a8bf1c73deb

SHA512
2ee3b6abe37de3a14b86e7c644f42ef30d8dc43b876e13f43b45790b839d45d7203c1925021487e19ad4f2fbb51866a54c77d49935505b09bb82bf429995a71b

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
523B

MD5
d0d9af74af693becf63defe373d7cd17

SHA1
85348cfe871dbfffc2b2d38f8783290abb79adc0

SHA256
42c17b8a51f062bbec385288b8aa970f54ba964adff64c2acc063a0e66de0faf

SHA512
38c22bd5d0fc20d9d2a3283d01938496d9f06a07d4818b61ca83235091fe5b893071af348fab7c0d54cf04be153abab4dd27dcef04feb29c4123ecaf420555d9

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
553B

MD5
690c77a67d9f43219a94890a22aba9c0

SHA1
efb345289cd41343e18a943d538ceafb1d51e3d1

SHA256
e71afc24428c1fc870fbd51e16e7e9e29f6a0e3db665cfe6a2bd567807ecadb9

SHA512
49e1532bc4949afb2cbe59a00c4f7cefc93e350962d5e547a8bdb2142582205080bebd6b326fbdd2f94481e114cf2bebd024744429a8d79642dd983419126e40

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
553B

MD5
7e198327c2f216388290ec49bc50f03d

SHA1
7767a6363616ab99068a95e7c40bbf80644f15b0

SHA256
e7672c118739f746f6128186f461fb259f8e73227452926918d5e6c6094b2f00

SHA512
eb26c8480cc0c673b8e69938a499bc9b83e1f4087e179cf4e5055e7459425940e8825a116195adc25bcd91e941fabb218766505dff7b7fdbad1d76e85a901af5

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
609B

MD5
9c1c8b3a4daaae939033afe1452ca41e

SHA1
c8662f70f808866e07d6d5c1dd73fbe333511d15

SHA256
c6843078d0df5d57b1dfb7e0ec6ae12715dd9d5485cb641be291ded34da23698

SHA512
101f8a31e15995b0b6bfd5a662099b1fffe15835433074d7d49de1b82983d65cb27eaf9e7d7dabadbdf766ba2a20988da756db72f0b486a203322d6782b3bf83

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
691B

MD5
85d2875a76df615a7d50d83d99bedc16

SHA1
39e5506c917dedef0738dcfcfc86b6d30fe42944

SHA256
5315914548f22a8032ec82026cdaeda5e48b096816a0dcef5022d1ca5dfee7cd

SHA512
c394b397c5d00d65c007dfd65e7b9e9461e1dd48ef99bd26c4fe2c1096126fc4fd41ee83285132c0798b867f78bb482e7bbf0d5859e36031a427a51d6f5ac7f1

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
691B

MD5
85d2875a76df615a7d50d83d99bedc16

SHA1
39e5506c917dedef0738dcfcfc86b6d30fe42944

SHA256
5315914548f22a8032ec82026cdaeda5e48b096816a0dcef5022d1ca5dfee7cd

SHA512
c394b397c5d00d65c007dfd65e7b9e9461e1dd48ef99bd26c4fe2c1096126fc4fd41ee83285132c0798b867f78bb482e7bbf0d5859e36031a427a51d6f5ac7f1

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
851B

MD5
b78d80259bf5212b127227b4d023e7f1

SHA1
80d55278c398e2fd89ff2ceb759a8e8cfcd94f50

SHA256
e40cc1392ff4450831e8cb963dfc7d79b9eb62439cbabceb8170f26ab976d4ce

SHA512
73107f4027cf3f65bf27b48b1cf60745b5ce315b23e478b4334bf4bcbba21740d1ea8c0063ed3286430b95f012955f6c8050ccef7d04be7d0354b97e657f8667

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
851B

MD5
b78d80259bf5212b127227b4d023e7f1

SHA1
80d55278c398e2fd89ff2ceb759a8e8cfcd94f50

SHA256
e40cc1392ff4450831e8cb963dfc7d79b9eb62439cbabceb8170f26ab976d4ce

SHA512
73107f4027cf3f65bf27b48b1cf60745b5ce315b23e478b4334bf4bcbba21740d1ea8c0063ed3286430b95f012955f6c8050ccef7d04be7d0354b97e657f8667

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
851B

MD5
b78d80259bf5212b127227b4d023e7f1

SHA1
80d55278c398e2fd89ff2ceb759a8e8cfcd94f50

SHA256
e40cc1392ff4450831e8cb963dfc7d79b9eb62439cbabceb8170f26ab976d4ce

SHA512
73107f4027cf3f65bf27b48b1cf60745b5ce315b23e478b4334bf4bcbba21740d1ea8c0063ed3286430b95f012955f6c8050ccef7d04be7d0354b97e657f8667

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
878B

MD5
bff84f10ae425a0e287010dca732598c

SHA1
f2908c4fedbcea7b2dd773c0fcf8c7a902e7540b

SHA256
28264c5191c92f00788169034d2992c0ad4bd80a22289845afc252273f012da2

SHA512
23029864a7476fab190fd92b9a47b9a94b513840aa3c8e08eaa42eabf1afc6fa1e0fcd4a8b2b46bc2a0567dc0e3128b49b36a40291bcdf0a13ed6ffd7c32501d

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\UseCache.ini

Filesize
214B

MD5
3633f10a8eaa023c81891c0a3f6bbe81

SHA1
2eadc6941196406705883c98ae850ba087c6e653

SHA256
2a770bfb1be94c6b3997c0de720629df9c709c4fcae38bce358ed5fce9b38352

SHA512
523be48ccdc32a00ed011b1d3a53b640c616f6b3c71ec94490226809b986d82da43c9a6dccb52a586003183972266c9082d4db1c4d3cca7197240d7ef786e758

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\WnSvdarme.dll

Filesize
1.9MB

MD5
e4ca9eadaae1c2bb70b07263b74ed91e

SHA1
0321c5b0654dd17ffe60e36afa4bbe39bd3a4618

SHA256
56a926ef76d060ec87e8672e94c0f0617cfac66579cae5189693183c90adfb9f

SHA512
a6a05e649b3f77821ea360e46cf064a62bf050b5caa26750294677b1aa6fc0812d3478d1f60f3aead5de6e24122993d568089dae284c654d789d6e0c48ce9132

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FFA6E45777C6CE08CA96D0E3CFF29477

Filesize
471B

MD5
5ba190d7308ad2a6846536be7973d093

SHA1
e603159b2da20467f4576436bc7e0eea54ad4d92

SHA256
d5632e3b43673d4335791240538e5ae3b43daf1881dafcb59a5ae748061773b6

SHA512
f6a5526c76129bbe876a002abdffc28c755572f710885911d07fb1ffe65c8bcc5c1a43b53692bf92d708c2f88c97d2a1f6486a11d3fc5b309dc1b89279dcb38b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
434B

MD5
672461d0ad5fb9a3ca08bbade6bb5df2

SHA1
9ac5c27a7ed5a23f21af1a8176c3188b26708f30

SHA256
886e4a912135110b738a84abf6dfaaa165ab03817164984779df785caf0ed525

SHA512
c32b6ef285675e0d1e2916af802aa884c80cd0836b7bc657c25945320ae3a953c5bd642ade33488b3baf295707105b57a7b4abc1a4b1b3591f294ebdf32201e5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D

Filesize
434B

MD5
672461d0ad5fb9a3ca08bbade6bb5df2

SHA1
9ac5c27a7ed5a23f21af1a8176c3188b26708f30

SHA256
886e4a912135110b738a84abf6dfaaa165ab03817164984779df785caf0ed525

SHA512
c32b6ef285675e0d1e2916af802aa884c80cd0836b7bc657c25945320ae3a953c5bd642ade33488b3baf295707105b57a7b4abc1a4b1b3591f294ebdf32201e5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FFA6E45777C6CE08CA96D0E3CFF29477

Filesize
426B

MD5
a67913192a3724af07a6009bd501d895

SHA1
92e36e9dc59eb4509c77d05a684b58a29f14e19d

SHA256
7781b02f0447f0df46376407454e582e38e42f4de5cc65c31e29ebab9fdfaf0e

SHA512
c1e2e09431034f1d74f3c76be5ff88d467e62f53c5bb01e2413f3180c176b5ace869075cf4df5bcfc7a194c0bb6de6eaa0d72b8c4ab74f64839feeb022006bbf

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\Eleglate.ini

Filesize
214B

MD5
450744c821bc27259ed7b14890ee5f29

SHA1
5588285cbf7451e6323d3f1aff260e69f3eff2ad

SHA256
6fc607259ac8cafb1402af3ead228d14724bf9ccfe42a05114ea31a0f9bdec07

SHA512
a33b1cb41b4a23441dc5842c1f125052b30bdb61ecc6524e326947e9263d06fab557151623422e6dd9b53255b707dcd5b2d336230b306df74a7facbf08c95033

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\Eleglate.ini

Filesize
214B

MD5
efb6b9fb9c93c935738ef7cf79f81d0e

SHA1
bedcf648d2b6427d7b726bf90c958fc3c358efae

SHA256
a03d65aa9dde8165b987b0d414b5464ad34ff142a4d202bbf5172cd12be4612d

SHA512
7c4f8e809d5d197510d1c615d7b262381eb69f87a0c6eea631103cc1449a5a667fbb29c1f1391e6b5045f9c5e56b6f62c39f20b505de0d0d4bced70f2c54ad3f

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\wnsvdarme.dll

Filesize
1.9MB

MD5
e4ca9eadaae1c2bb70b07263b74ed91e

SHA1
0321c5b0654dd17ffe60e36afa4bbe39bd3a4618

SHA256
56a926ef76d060ec87e8672e94c0f0617cfac66579cae5189693183c90adfb9f

SHA512
a6a05e649b3f77821ea360e46cf064a62bf050b5caa26750294677b1aa6fc0812d3478d1f60f3aead5de6e24122993d568089dae284c654d789d6e0c48ce9132

Download Submit
memory/372-132-0x0000000010000000-0x0000000010520000-memory.dmp

Filesize
5.1MB

Download
memory/456-189-0x0000000002DE0000-0x0000000003001000-memory.dmp

Filesize
2.1MB

Download
memory/456-183-0x0000000010000000-0x00000000102E2000-memory.dmp

Filesize
2.9MB

Download
memory/1524-212-0x0000000010000000-0x0000000010119000-memory.dmp

Filesize
1.1MB

Download
memory/1524-196-0x0000000000000000-mapping.dmp

Download
memory/1776-171-0x0000000000000000-mapping.dmp

Download
memory/2284-174-0x0000000000000000-mapping.dmp

Download
memory/2412-168-0x0000000000000000-mapping.dmp

Download
memory/4084-194-0x0000000000000000-mapping.dmp

Download
memory/4084-218-0x0000000010000000-0x0000000010700000-memory.dmp

Filesize
7.0MB

Download
memory/4380-176-0x0000000000000000-mapping.dmp

Download
memory/4888-139-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/4888-138-0x0000000000000000-mapping.dmp

Download
memory/4888-140-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/4888-154-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/4888-141-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/4888-142-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4888-143-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/4888-144-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/4888-145-0x0000000006C80000-0x0000000006CB2000-memory.dmp

Filesize
200KB

Download
memory/4888-150-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/4888-151-0x0000000007060000-0x00000000070F6000-memory.dmp

Filesize
600KB

Download
memory/4888-152-0x0000000007020000-0x000000000702E000-memory.dmp

Filesize
56KB

Download
memory/4888-153-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/4888-146-0x000000006FD70000-0x000000006FDBC000-memory.dmp

Filesize
304KB

Download
memory/4888-147-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/4888-148-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/4888-149-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

Filesize
104KB

Download