23fa814676ee17dbd87b7ab1cb87b33f29638c16a070ea4fa4402bc9a3926497

Resubmissions

24-02-2023 04:37

230224-e8y4hsac85 10

Analysis

max time kernel
244s
max time network
431s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-02-2023 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Size

1.9MB
MD5

e55cd588b395db3c8aee4a6bbdf4b2bf
SHA1

775c55c15821fb19e9d7c6a876865adba25386dc
SHA256

23fa814676ee17dbd87b7ab1cb87b33f29638c16a070ea4fa4402bc9a3926497
SHA512

a3828eb1ae9be2ebc2ec9b847dc2d833c09c48015576f26c533337c593f429cf767b2c5de585a17e814d3baa7878432e67327055dc45d811fa7fa3fb7690f92a
SSDEEP

49152:hlqwRsD6EZq9NBN8EFWI6xuPFT4u6Dr1LJPMxu:hlqwRsOEiTVFM2T4FD9

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Restreful\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Roaming\\Restreful\\WnSvdarme.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe

Executes dropped EXE 15 IoCs

pid	Process
432	WNSoftSer.exe
1820	WnUmanlike.exe
1988	WnUmanlike.exe
1644	WnUmanlike.exe
2024	WnFSUpd.exe
568	WnSoftManager.exe
1888	WnSoftManager.exe
1724	WnSvceous.exe
892	WnSvceous.exe
1736	WnSvceous.exe
1916	WnUmanlike.exe
1284	WnUmanlike.exe
892	WnUmanlike.exe
1492	WnUmanlike.exe
856	WnUmanlike.exe

Loads dropped DLL 23 IoCs

pid	Process
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1396	svchost.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
568	WnSoftManager.exe
1888	WnSoftManager.exe
1396	svchost.exe
1912	explorer.exe
1912	explorer.exe
1524	7zFM.exe
1260	Process not Found

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe

Registers COM server for autorun 1 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ = "C:\\Windows\\system32\\WnAcelein64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ThreadingModel = "Apartment"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ThreadingModel = "Apartment"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ThreadingModel = "Apartment"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ThreadingModel = "Apartment"	WnUmanlike.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\	WnSoftManager.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	WnSoftManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\	svchost.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\xst[1].abf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_8C07DDBFCA3A75E7CA10ADBEB58A3060	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FFA6E45777C6CE08CA96D0E3CFF29477	svchost.exe
File created	C:\Windows\system32\WnAcelein64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\a30666352098[1].bae	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_D14B79B440CDC26D7D21C81855E2C04D	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_8C07DDBFCA3A75E7CA10ADBEB58A3060	WNSoftSer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7f70110c47e5[1].bae	WNSoftSer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57	svchost.exe
File created	C:\Windows\system32\WnAcelein.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FFA6E45777C6CE08CA96D0E3CFF29477	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\normal.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wke.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wndr.cat	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\update.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\normal.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini	WnUmanlike.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini	WnUmanlike.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wke.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\update.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File opened for modification	C:\Program Files (x86)\WanNengSoftManager\Icon\AllIcon\update.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
File created	C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\update.ico	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WnSoftManager.exe = "11000"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\WnSoftManager.exe = "0"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\WnSoftManager.exe = "0"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\WnSoftManager.exe = "1"	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WnSoftManager.exe = "11000"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	WnSoftManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \WnSoftManager.exe = "1"	WnSoftManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	WnSoftManager.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA13226A-6EFB-4D80-972B-CADF9B4C25E3}\WpadNetworkName = "Network 2"	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-97-fa-73-34-cb\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA13226A-6EFB-4D80-972B-CADF9B4C25E3}\WpadDecision = "0"	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-97-fa-73-34-cb	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WNSoftSer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-97-fa-73-34-cb\WpadDecisionTime = d002133f1248d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA13226A-6EFB-4D80-972B-CADF9B4C25E3}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-97-fa-73-34-cb\WpadDecisionTime = 90d6be3b1248d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	WNSoftSer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA13226A-6EFB-4D80-972B-CADF9B4C25E3}\WpadDecisionReason = "1"	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\WanNengSoftManager\WNGJAppInfo\UsrPath = "C:\\Users\\Admin\\AppData\\LocalLow\\WanNengSoftManager.user\\"	WnUmanlike.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA13226A-6EFB-4D80-972B-CADF9B4C25E3}\f6-97-fa-73-34-cb	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WNSoftSer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-97-fa-73-34-cb\WpadDecisionReason = "1"	WNSoftSer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\WanNengSoftManager\WNGJAppInfo\CfgPath = "C:\\Users\\Admin\\AppData\\LocalLow\\WanNengSoftManager\\"	WnUmanlike.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	WNSoftSer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-97-fa-73-34-cb	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WNSoftSer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA13226A-6EFB-4D80-972B-CADF9B4C25E3}\WpadDecisionTime = 90d6be3b1248d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WNSoftSer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win64\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\VersionIndependentProgID	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ProgID	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\TypeLib\ = "{163D4049-C925-40CE-A3D4-55CBCAF4065F}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\TypeLib	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnFerous.dll"	WnUmanlike.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\AppID = "{BCC0C344-044B-4163-9040-AE87603AA028}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ThreadingModel = "Apartment"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\WnAcelein64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\ = "CloudSoftManagershExt Class"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\0\win64	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Version	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\CloudSoftManagershExt\ = "{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32\ = "C:\\Windows\\system32\\WnAcelein64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\FLAGS\ = "0"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WanNengSoftManager	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WanNengSoftManager	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\0	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WanNengSoftManager	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\ = "CloudSoftManagershExt Class"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Version\ = "1.0"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ProgID\ = "CloudSoftManagerOverlayIcon.MyCloudSoftManagerOverlayIcon.1"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\VersionIndependentProgID	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\ = "MyCloudSoftManagerOverlayIcon Class"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\WanNengSoftManager	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Version	WnUmanlike.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\InprocServer32\ = "C:\\Program Files (x86)\\WanNengSoftManager\\WnCosemism64.dll"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Programmable	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WanNengSoftManager\\"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WanNengSoftManager\ = "{4DC6C17B-7019-42CB-A602-90408C0282D4}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\HELPDIR	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4DC6C17B-7019-42CB-A602-90408C0282D4}\ = "CloudSoftManager Shell Extension"	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\Programmable	WnUmanlike.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8DF47B6A-69EC-4A98-9ED0-5DA19732920F}\InprocServer32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WanNengSoftManager	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32\ThreadingModel = "Apartment"	WnUmanlike.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\TypeLib\ = "{163D4049-C925-40CE-A3D4-55CBCAF4065F}"	WnUmanlike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF513021-FF0F-40FD-8BF0-711EA843DD9F}\1.0\0\win32	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{163D4049-C925-40CE-A3D4-55CBCAF4065F}\1.0\HELPDIR	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{804AE2AA-FD89-46A5-B3F0-A4AD305D6E2F}\InprocServer32	WnUmanlike.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	WNSoftSer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	WNSoftSer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1584	powershell.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
432	WNSoftSer.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeRestorePrivilege	1524	7zFM.exe
Token: 35	1524	7zFM.exe
Token: SeSecurityPrivilege	1524	7zFM.exe
Token: SeShutdownPrivilege	1588	chrome.exe
Token: SeShutdownPrivilege	1588	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1524	7zFM.exe
1524	7zFM.exe
1524	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1584	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	31
PID 1212 wrote to memory of 1584	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	31
PID 1212 wrote to memory of 1584	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	31
PID 1212 wrote to memory of 1584	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	31
PID 432 wrote to memory of 1820	432	WNSoftSer.exe	35
PID 432 wrote to memory of 1820	432	WNSoftSer.exe	35
PID 432 wrote to memory of 1820	432	WNSoftSer.exe	35
PID 432 wrote to memory of 1820	432	WNSoftSer.exe	35
PID 432 wrote to memory of 1988	432	WNSoftSer.exe	37
PID 432 wrote to memory of 1988	432	WNSoftSer.exe	37
PID 432 wrote to memory of 1988	432	WNSoftSer.exe	37
PID 432 wrote to memory of 1988	432	WNSoftSer.exe	37
PID 432 wrote to memory of 1644	432	WNSoftSer.exe	36
PID 432 wrote to memory of 1644	432	WNSoftSer.exe	36
PID 432 wrote to memory of 1644	432	WNSoftSer.exe	36
PID 432 wrote to memory of 1644	432	WNSoftSer.exe	36
PID 432 wrote to memory of 2024	432	WNSoftSer.exe	38
PID 432 wrote to memory of 2024	432	WNSoftSer.exe	38
PID 432 wrote to memory of 2024	432	WNSoftSer.exe	38
PID 432 wrote to memory of 2024	432	WNSoftSer.exe	38
PID 1212 wrote to memory of 1888	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	40
PID 1212 wrote to memory of 1888	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	40
PID 1212 wrote to memory of 1888	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	40
PID 1212 wrote to memory of 1888	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	40
PID 1212 wrote to memory of 568	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	39
PID 1212 wrote to memory of 568	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	39
PID 1212 wrote to memory of 568	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	39
PID 1212 wrote to memory of 568	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	39
PID 1396 wrote to memory of 1724	1396	svchost.exe	43
PID 1396 wrote to memory of 1724	1396	svchost.exe	43
PID 1396 wrote to memory of 1724	1396	svchost.exe	43
PID 1396 wrote to memory of 1724	1396	svchost.exe	43
PID 1724 wrote to memory of 892	1724	WnSvceous.exe	44
PID 1724 wrote to memory of 892	1724	WnSvceous.exe	44
PID 1724 wrote to memory of 892	1724	WnSvceous.exe	44
PID 1724 wrote to memory of 892	1724	WnSvceous.exe	44
PID 1724 wrote to memory of 1736	1724	WnSvceous.exe	45
PID 1724 wrote to memory of 1736	1724	WnSvceous.exe	45
PID 1724 wrote to memory of 1736	1724	WnSvceous.exe	45
PID 1724 wrote to memory of 1736	1724	WnSvceous.exe	45
PID 1212 wrote to memory of 1360	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	46
PID 1212 wrote to memory of 1360	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	46
PID 1212 wrote to memory of 1360	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	46
PID 1212 wrote to memory of 1360	1212	ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe	46
PID 1912 wrote to memory of 1916	1912	explorer.exe	49
PID 1912 wrote to memory of 1916	1912	explorer.exe	49
PID 1912 wrote to memory of 1916	1912	explorer.exe	49
PID 1912 wrote to memory of 1916	1912	explorer.exe	49
PID 1916 wrote to memory of 1284	1916	WnUmanlike.exe	50
PID 1916 wrote to memory of 1284	1916	WnUmanlike.exe	50
PID 1916 wrote to memory of 1284	1916	WnUmanlike.exe	50
PID 1916 wrote to memory of 1284	1916	WnUmanlike.exe	50
PID 1916 wrote to memory of 892	1916	WnUmanlike.exe	51
PID 1916 wrote to memory of 892	1916	WnUmanlike.exe	51
PID 1916 wrote to memory of 892	1916	WnUmanlike.exe	51
PID 1916 wrote to memory of 892	1916	WnUmanlike.exe	51
PID 1912 wrote to memory of 1492	1912	explorer.exe	52
PID 1912 wrote to memory of 1492	1912	explorer.exe	52
PID 1912 wrote to memory of 1492	1912	explorer.exe	52
PID 1912 wrote to memory of 1492	1912	explorer.exe	52
PID 1912 wrote to memory of 1524	1912	explorer.exe	53
PID 1912 wrote to memory of 1524	1912	explorer.exe	53
PID 1912 wrote to memory of 1524	1912	explorer.exe	53
PID 1492 wrote to memory of 856	1492	WnUmanlike.exe	54

C:\Users\Admin\AppData\Local\Temp\ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe
"C:\Users\Admin\AppData\Local\Temp\ShaShenRAT远控工具 V1.0.0 绿色免费版_048_866913.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Maps connected drives based on registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe" 5d6c7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  PID:568
- C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe" 5d6c7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Modifies Internet Explorer settings
  PID:1888
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /e,/select, C:\Users\Admin\Desktop\ShaShenRAT---- V100 -----.rar
  2⤵
  PID:1360

C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe
"C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe" 05e
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 0b2 --9fa1=0
  2⤵
  - Executes dropped EXE
  PID:1820
- - C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
    "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" a80 --9fa1=0
    3⤵
    PID:2672
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 535
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 133 --9fa1=0
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:1988
- C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe" d1d
  2⤵
  - Executes dropped EXE
  PID:2024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Picnicter
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe
  "C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe" a6b --9fa1=0
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe
    "C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe" 2fa --9fa1=0
    3⤵
    - Executes dropped EXE
    PID:892
- - C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe
    "C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe" 0f0 --9fa1=0
    3⤵
    - Executes dropped EXE
    PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 0b2 --9fa1=3
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
    "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" a80 --9fa1=3
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
    "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 0f2
    3⤵
    - Executes dropped EXE
    PID:892
- C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
  "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" 0b2 --9fa1=2
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
    "C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe" a80 --9fa1=2
    3⤵
    - Executes dropped EXE
    PID:856
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\ShaShenRAT---- V100 -----.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65a9758,0x7fef65a9768,0x7fef65a9778
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1268,i,10919651183467412135,15953808877397579670,131072 /prefetch:2
  2⤵
  PID:2180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini

Filesize
194B

MD5
8169df157e5aaa7814e19e4a312a8e6e

SHA1
9250c428993ae78da6f578af6ee968d632f14b32

SHA256
d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812

SHA512
6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1

Download Submit
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini

Filesize
194B

MD5
8169df157e5aaa7814e19e4a312a8e6e

SHA1
9250c428993ae78da6f578af6ee968d632f14b32

SHA256
d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812

SHA512
6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1

Download Submit
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini

Filesize
194B

MD5
8169df157e5aaa7814e19e4a312a8e6e

SHA1
9250c428993ae78da6f578af6ee968d632f14b32

SHA256
d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812

SHA512
6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico

Filesize
197KB

MD5
e1bd484966a645a7b456a67ed4a2677c

SHA1
528d589847d60b41e5faa40c6ee5e1d361df0c55

SHA256
87868f0c311ba96d5f8069b070a8309d2a54813535ae99d852cff44a23f626f6

SHA512
8f76bc32ab178b056a7c01608e8a0596aa1784f290837a8f0b844f097a4170d3cf9ed400f9c27de1ccdc645e012a66f086069a922ed2de9bd28cda584cf57dbc

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WNSoftSer.exe

Filesize
2.5MB

MD5
db101c5d26f7d92064c6d3faaba20175

SHA1
683afd3c7512886d0f4c5987deefafb5f396b573

SHA256
f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5

SHA512
07f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
216B

MD5
d5d7c98cd86ad21fa2733a55bfc7935d

SHA1
3434dc157833438f714a48b99cc50233cda10e80

SHA256
44a2a84a45829b8124469e3b488ca6f092dd284050fe3643e5ff5a8dafdd46ef

SHA512
9fea8eea4711cdd74ed65df7241fb4806d51236447c2f4d953232bff51fde5561c43a32dcd429b0f263d43289ac0a2386eae9939944f17b568681a2e37c58d68

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
216B

MD5
d5d7c98cd86ad21fa2733a55bfc7935d

SHA1
3434dc157833438f714a48b99cc50233cda10e80

SHA256
44a2a84a45829b8124469e3b488ca6f092dd284050fe3643e5ff5a8dafdd46ef

SHA512
9fea8eea4711cdd74ed65df7241fb4806d51236447c2f4d953232bff51fde5561c43a32dcd429b0f263d43289ac0a2386eae9939944f17b568681a2e37c58d68

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
282B

MD5
6497b215da8db47c9dac40b56a1291f8

SHA1
4bd2fb9120539ec63c95e25dbd3ac5ef4e986dc6

SHA256
9339a1c37c75e06862cfba742bcb0c2d1f18a6f40b25ac8ddc37c98d8748e553

SHA512
fa81b9377506d34416956950a6645a64d5ffdd4af1de84179bcdc7d80d3ead181ad04fa02d6f9eda44e5bffc877a5835b2badee72a99e0f8fd090bcae55eb848

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini

Filesize
282B

MD5
6497b215da8db47c9dac40b56a1291f8

SHA1
4bd2fb9120539ec63c95e25dbd3ac5ef4e986dc6

SHA256
9339a1c37c75e06862cfba742bcb0c2d1f18a6f40b25ac8ddc37c98d8748e553

SHA512
fa81b9377506d34416956950a6645a64d5ffdd4af1de84179bcdc7d80d3ead181ad04fa02d6f9eda44e5bffc877a5835b2badee72a99e0f8fd090bcae55eb848

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll

Filesize
219KB

MD5
8e2c5d3c053319ed8d63483d256449bc

SHA1
961dfe8155befb9947f58c84df4c4fb32623c911

SHA256
a1cdb58efe50c9824776219541ec36fc9532f0dc68e6f95321bdf4c538387637

SHA512
18b2e3b861db93b1ea1ac090791296aa25d1d2a6584b2624b982f044fb0142c4c413e134cc244d3b3273f90150ee7a22fda1a92bdb5f1f34bf95281579a8f042

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll

Filesize
264KB

MD5
1b900520d1c09713f2906f4c5b9d8615

SHA1
38f9967da362505caa4b8a02847288662752447d

SHA256
d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697

SHA512
ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll

Filesize
426KB

MD5
7b77180aa387e2480811c118a30dd05e

SHA1
159d07f6a313f130f046af392aaad50bab80eeb6

SHA256
355943ed9b2bbb59ab4298b83d3a98290a42fcee87a1cd46e7c777161a09c106

SHA512
90549e017e331761632f8b5fddecfba928401fce2a5afef5aee665f980d529666ffb36eb5bd5e9cec78b051b4d3bbfaa35f0b72b85cc706176b4a1b5422b6afb

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll

Filesize
475KB

MD5
d468405798b4794714b55d7acb5c337f

SHA1
6131ea842c69cb2cf0b8f1b1be1558168e023fb1

SHA256
550994432a9ebce0b266a2d7892194e89d5aab4b2b6d7dae6b102fcdcb803c84

SHA512
ca64de673d4a2f4fd63ed7347f7d9e0743c5ee5583563423429f1d19952f43cb91ee61e8b85f08731325700e92836d5d4026d79929b0e1811c25a6aa06e8ee1c

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.5MB

MD5
30d04c3ac9a0a938f0742c504ad7b256

SHA1
46966a65cb4c4e74cd949bc2615776701564b67b

SHA256
5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103

SHA512
17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.5MB

MD5
30d04c3ac9a0a938f0742c504ad7b256

SHA1
46966a65cb4c4e74cd949bc2615776701564b67b

SHA256
5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103

SHA512
17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.5MB

MD5
30d04c3ac9a0a938f0742c504ad7b256

SHA1
46966a65cb4c4e74cd949bc2615776701564b67b

SHA256
5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103

SHA512
17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll

Filesize
250KB

MD5
6b5253223698a88ea8393c0bb324aae8

SHA1
df156ead59e070d232aa6488c8ce1d857617aa15

SHA256
3ef4d209c611807a27b2e01298ef2651a25b01f389ef59c60997a019bf14c575

SHA512
595aa7805198984cbcceffc71ad45d1fb4b6651987030a78dc703f0f0d575ddb7606c69fc5aa1e563a8d679f0b56b32c436b1a299f1f5e173d23d35e8ecc0a18

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll

Filesize
303KB

MD5
acd59a749f0e56a163bddc1f454f69b2

SHA1
08f05945d666c6e19e0e8eaf0ab14d26eaa424fd

SHA256
c7fce5752658147e008cbfa8b39dfdb51615ff2c0e73866483bf829c375b8ce5

SHA512
627b027abdd502738958bbf62fdf737cf8a0930e4ac5c54e4ef5d74e6493d196b69a6b3911518d115fbcf039868e16e88ba7b1d6c01d8a993c945e99bb6ab234

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll

Filesize
2.7MB

MD5
de11310bfdd3f2d2bf49201dd1914699

SHA1
4625d4d3bf4ece6599fbb1abd7357438c6d76ae5

SHA256
b485275db6102a1c1fa41b8b260d35bbdb7600d6d1c32099c54b3b6750556699

SHA512
ee91e6d5953207ed69b011ed06ed1fc95fcf86d392009802a6f4d080fbe306123c30cfc7a5e64839a51c5cd018a4e147dc3b962088a3a30ba2f0880ba59b437c

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe

Filesize
2.3MB

MD5
c9f30057628368706bcdc4cc1da5fc27

SHA1
8447d2ec544b4288c0eb4f0c913cdda8e475fc31

SHA256
64b9caf38355a451b34e8a7d012fb7e60eb4b76fd98fe82c096e0e34268d7d51

SHA512
c9135fca1f79531a5ff16c6a641dd110952f7b28958a245fc75a7ff2a8c8c271b4c2c95ba2f288909ffbfefca70c7c12f0a8ae0d763c69d5a93bc50b5ca35eb0

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe

Filesize
2.4MB

MD5
1a8d6b945faa865f5c189bba5df42844

SHA1
10b7c7628a40a882de155722c2d7942734fe4901

SHA256
de8eac7f944a6c99a894b74fa4327f765cb381d4745602f3acbbcf1c3a7ff5ab

SHA512
579993711e6eba9a54f72a04f13209255e50656277dac9e0309ca77afec3acbe12ad3ccb4337afde70e2d5db7453a0ab557585e45da4699ebe03bf1d635777b6

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc

Filesize
42KB

MD5
2c4fdced429b803305607ed171dff5bb

SHA1
449000b216cbb472bc18b122c4fa516adb299a19

SHA256
ce792fbac3c45906e948319f9e06d2854ee6ab580220f66c562cd75358b1a894

SHA512
f499a42044774222c3221fde90b0c33617ff329b2d858e242a31f6f365c8b36a7628dca24c41d92cf2adfc36813ba5cb309f48c5ad616377b348124837784465

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes

Filesize
39KB

MD5
e220627df0f7912ca9abf9003e3536ac

SHA1
5dfade04a3a08d68f2937b89792c06db299eaa7e

SHA256
844a4a6d945fbce245cde1f3edb7ed3c93b36b472a3a00c347d210c4e459f921

SHA512
a69326f0ba5450f859308a9a1d44d7f021ac7209674274ddb8437ab885567f39cc4571f38b739ea731510c7755e3afd4923e28d20cbfdc162fd41c1920592c9e

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff

Filesize
45KB

MD5
17758d686860dddfa39a0515829a23c6

SHA1
f9efe7b295d31b3e8c359f8e3fe2e893fd0ebfce

SHA256
241610908c9f40566296f34066195c0606b577595b84cfb282337b58e23d07e1

SHA512
664f0a90c40d7789bef2e4866e96145d32d5dfafe329b6c62c54fe9bf367317ba5b69962454d62e4c94b9b9530df3d64d702bd54bac24ab380243ba6b6426a4b

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe

Filesize
2.5MB

MD5
db101c5d26f7d92064c6d3faaba20175

SHA1
683afd3c7512886d0f4c5987deefafb5f396b573

SHA256
f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5

SHA512
07f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe

Filesize
2.2MB

MD5
7333a527dbedff3be88294d07dd9e4a1

SHA1
6aeb844db20b0f440734bf53283e57619834db7a

SHA256
1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3

SHA512
12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll

Filesize
2.2MB

MD5
2ea1bb79182e0832833828cf04288fbb

SHA1
3613dfa6fd8a15ad931db368fd4928d4836143e0

SHA256
b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801

SHA512
55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes

Filesize
50KB

MD5
6a99dce0aa4798a921799231fb98d0b7

SHA1
f986740992007f92ddb6db452a0d4ee7a3de3b3c

SHA256
64cad370d5373313a05e71efc4d719b17b4801576356e693b47e4515fb64641a

SHA512
31b684a3e72d36f6077f792257c4fd33ba79eb7a02e153b0898bfcaa64c8dac931b7ee7b371784b88b47a014fd744df2743388773444b82d25d65932b64d6eee

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff

Filesize
55KB

MD5
39b59f56c7cdcc204ea2e2f44f0f11ba

SHA1
5a6b0fa4849b38fd75edb0b66c1e8fcd4f70b17a

SHA256
5eccd83aa0e78f466a14fa4862d273eaa1999fed6cef6f451c6d7b829ea71388

SHA512
88b8ccfc1989cb4eb365562240a96117e2cb90601f053e803bee1c10defd17323a10e946797bd721bae6b4d8255a03f06a04266010ae838657e37c06525b85b5

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe

Filesize
4.3MB

MD5
4c87ae53f9687a128563aa0bdd931e3a

SHA1
f08b3e12e5e3492a8b0f14e2230c0da4099f9a88

SHA256
dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5

SHA512
e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832

Download Submit
C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe

Filesize
2.4MB

MD5
3003134f2f47ee73ea52bd7690854274

SHA1
5ef19e5392cb71a98186ca2fa3fafafc1a8fae12

SHA256
6c51048d92d86081bd5323e2ce25734a2b5d0991585dcab95dd051b87204334b

SHA512
d4ba9175b4a0e2a7b8ba377d731a0c76dadaaad254630bd62781fbf72339c8228c501e9ddad0f456b1de9beac40910f1f2a964d78064e457e6f1e88cf7864965

Download Submit
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe

Filesize
2.4MB

MD5
a177078edd4918268d7c2f9b0ba086a0

SHA1
c8229ded91155bfe0de7ed49fa6df988129f7064

SHA256
c7459aeab6058396ccffb3e0b7cc45fbc39b90b86ec3c50accc4a5e10ff52edf

SHA512
e6f9680b897266453706cd236324551ed69ef9aa5061a5c1c5ad45acce8fb635d09174c760ce998403261e774d3bff207d73d2a26e97b78d9c120cf735f069b3

Download Submit
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe

Filesize
2.4MB

MD5
db553556e221b52c88a80b8005704737

SHA1
a76664b31a66d6f117a50224010616a335fd8e21

SHA256
98813ebe375289f2f514fa2064c5817f9bea0e89a91f16455918b46e42d7ed43

SHA512
4647a12b9ca93a4fd0cab4df518e5b0a66a5c5984ade09db335905cdd9da89074572ad3011c9f4a14823a08653183ba6ab4cf799ff1dd10fc13f3346f9d7d71d

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
cb099b500ceb0e2c123ceef14bd7183e

SHA1
7c7538b9bade66b4561bc14183b31deec50d0021

SHA256
bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592

SHA512
f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
cb099b500ceb0e2c123ceef14bd7183e

SHA1
7c7538b9bade66b4561bc14183b31deec50d0021

SHA256
bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592

SHA512
f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wndr.cat

Filesize
12KB

MD5
5d61437ee311a8aedc5af1d92b520a23

SHA1
4411b26ed712a63a6dd15d909e7c6c6d29d49400

SHA256
7f784e9ffd1ea2e8b19ed583db8d395d643186a7f930234ee69fd71dcc208f3b

SHA512
d0b1c5961e067693729546502255e91721e4a97e5413e76e9f19d73e774ff3f55ad89713f3b643c88e096958103536d600ef768e3eeca2d8a2b858b3953a8ff8

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico

Filesize
194KB

MD5
9fd1679643ee825d340f58471a869fde

SHA1
2ac5b4f383d5fa10ad3fbbb30c6fe0654c8b8039

SHA256
3c75eaa4dc66bc1cab8324f14a2f54a62a44ee050a7a6e925592921ebb48f8f5

SHA512
d1a4cb08415493f7b10a6edb45f2fe30c7e4d8cb77fe29143887edaac5bf992146df61c412016c687ef4dd9e1b181c7328c0811314e3ebec7f19798cb5e75a79

Download Submit
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico

Filesize
422KB

MD5
e7065376abcdb34c3147162172c29ea7

SHA1
4608d48bb5476823116db94a0890f52f559eca39

SHA256
ecb25a772f8e3db7027850aa646384d37190d9233dec18a9151201b0acb20c69

SHA512
7119480da0cc16a7609a611c984c888589c722edc9d5d213a488b11426020a92402ea06be0a375bb2912661d73caa06d4a52243b8233fdec64af1f056a8b44c2

Download Submit
C:\Users\Admin\AppData\LocalLow\BubblesPop\CheckToTips.ini

Filesize
43B

MD5
eca6452d772270786cbc250e897dfcce

SHA1
572acb565bf86ab68888daa1cbd686e555a5ad50

SHA256
8ad91de10f878602465b9423bac5d8c12a9180f88111b3c96c1516e7aae7801b

SHA512
5d513b6eae3798d7777766b1595cbfe48d4f2b9079418a910e024c65d0af11cee5e64720f4eea69e5b0f0cbc9a8dc6516aab8fff5f142736d740bc90cc96d723

Download Submit
C:\Users\Admin\AppData\LocalLow\BubblesPop\CheckToTips.ini

Filesize
123B

MD5
6aa840145e2420af3f084313bd675a09

SHA1
f61f14e3a3125fe877df4103597e6d873281284b

SHA256
c316b13f3095ca3f40c9e06f0ea06740688cac01447b10e9c155d5a7e5826b41

SHA512
e1c57a7610d3eed2630843a7ee10a22a719927553102757856f2f128d3e77f20499cf114249bdf0941c46d589b889008f58cbfcfb3323b474bf8130c3ab238b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_8C07DDBFCA3A75E7CA10ADBEB58A3060

Filesize
727B

MD5
882636a73a8dba86a16b78c7a51d0b9f

SHA1
88d592c76c12f9fe93c76f08ce9d1f69da7d4def

SHA256
580ff35bf96b9f2ea253519d01e9416b2d94e17333b018e2e5afbefe7007d4f2

SHA512
bc1f5b6f69bee364fa5b70a394a5b01a59993a336d3ac573597017e8815a8b82382d860220436f3f4fd526145c937dd728185ba26e69d3e28b34ba0780df4f0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
471B

MD5
3c82051f857b5a2569a8f06a197fad20

SHA1
9d89cb2a100654f0fffc00a6e03629e243776b1d

SHA256
b1852634fecbed93c7b1c06af5742f18a8a937e6a12b06403ff253963222e475

SHA512
fd1c280ff21d71cf8e0d99e332ba04bab7af59249403254997e48f35baa0077bdd0bed3ae38d076509f911a94717329f7dbfa1e64905a70655e891bb5ac99da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_8C07DDBFCA3A75E7CA10ADBEB58A3060

Filesize
408B

MD5
d581e3141e959eba42065e0fa77d90a7

SHA1
673b721fd8c5e6aafd3fd19bfd8592ac780599f8

SHA256
7792b34bb15878c5c0af02f17b5efcae3238aeb84720c97fffb7a3f60aac6e7a

SHA512
16517d3300ce7fae387d2d813374280eef557ea4b2bd3204c5bd485a2f854a286bfed3256912e6a466b1277c4e1e1f7ec07d8b8f5c6c29116e12f570c805115e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c41d04225ce0c8525d7b9437d21a428b

SHA1
81796bc1582dd18730f7117556d1fc855caec6ed

SHA256
09590a49216ca4ec713b85209b47f7041b836970e00d02e4b598575dc518dd7e

SHA512
91f21ab6255086985f24c6abe99c9851176717aec7e7e6fae56cb37d4c86c45b3be965c7173553b2ee68e913e2417114be4a93d01745b0ea2f550de04e34b533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
430B

MD5
494a57c9f0e037bc8f695b70d39a2261

SHA1
fe9f800a623e36c52c2ac0e8e28cbce0c9fc6876

SHA256
a2010b5fc0e8903c2a6799091e0f58fa8a27552d924dfcd386979adfb6ef4168

SHA512
8d9c815f005f60aabab363a94fa40cd92bf51b6e3b0d7aa6f6d3f416cf81fa5fa8873f801c505303452241d420b2f3da6f64bb0c7281ed2879692ec32e848a43

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\7f70110c47e5.bae

Filesize
698B

MD5
f406f55b76eb6879aa83a9a5059493c6

SHA1
52eed9d9e1206e9a32ee2f70f4411371bb324024

SHA256
6c747a8508681272b3e0265526bdb3f08992bfdedb6f533d29aee8507576b7b6

SHA512
6f70ec5a241ff59e647f9f0a2bd47e09e8bd664a2f63f3f37068a0dffe2f053e1cadcfe65a93478a4005839096681eb06f32d6682c83759b2c31455414503e04

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\CA.png

Filesize
42KB

MD5
bf67b5d893a0631d9b996b519bb088ea

SHA1
77150dcbecca2700ad6a404c2a37b17a11ce92e3

SHA256
8aade176ae3a8f773a105281fd67041f1aabc13820511a2c98ea741a7a96f380

SHA512
c28010668ac3cfa99a07c82e55fe6b3dffa1f73d09b2333188e9a2f4120b39099559f36d0666c9141519fbf3b7bd7bead9b607628245209e81c017ff6134da07

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\QQyinyue.png

Filesize
3KB

MD5
b80ca7f884edd4741d26ea8519bc1e8a

SHA1
2210348eb58f54ee29b8f70193a6c7dfa1cb5890

SHA256
c424f8237cf2827866c689707fa900f32b79d8c858c262c82497c360eafa3d9d

SHA512
836f6df7b082e7fd9e39ba3edb6ac5d7436e1e494824eb1b7f636cdfd15c721058edcbba548caab5de397e0524c1bc2c3a422c0e169f859b8f7b8e2fdc9f4d08

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\cpgj.png

Filesize
87KB

MD5
daec927f6a53b41d724c8e44c55f4907

SHA1
f44e1d0a54992012e492fc3b6a192969feb7b371

SHA256
d6e0ada436092f6163dced6cb840975757ab7c359ce31f854d0045f575c466da

SHA512
9f16ca0f2359d5b7389ce74ed78fb464bb5854dba555e799368f6f0d065ff429f310c28bf3f40296072c718798753d2aa91c4153bdfa9ab20a959d21990090da

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\dingding.png

Filesize
4KB

MD5
8cc3c4889b18defa077f2433873214cf

SHA1
44d5cff6e85bb1f0da56554a256ab85c8971c486

SHA256
00bbf58288518b261a31ca397e91a8cdfedc296105bb6173f9a8df44c89a3b81

SHA512
3728047eb047db37bb4e05e47733d40b3728c40307f5ae6d9778da23f1601b5cf41e7eee1cd1778a1be760448c54cdb48d61d27e2f2f27e3b7f65efa6293cdab

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\jgpdf.png

Filesize
8KB

MD5
1f3fef2d8e7159d649f039785ed583a3

SHA1
02f2abed899adbb1691c8511e720ec933cefc518

SHA256
8329ea15947106f1f8e36d29e3f3c57493ffd50d4d8a77ce20cf60505ba8b249

SHA512
244c5fcae2762f4b1b5aac6230e59bcb3e871e1faa2ed292fef48ab86cb01f058545554ffc569bd489bb6031365f024fc195359043328f64249da7f74dcc6590

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\jsllq.png

Filesize
9KB

MD5
09cd9c082a5521e6f4d4f587e744681f

SHA1
f86255581310333b4d4e81b7dbe16d60c04af090

SHA256
d948f5771da65faf3e9b5a5c53bee0c670f06fec5345d096eaa385c4a9b7bb5a

SHA512
4c961ce081203966da073d4e99221784254e4868a9bcce51a4d74a4e61a82d970220c284457b9c2ba333c0cc7969e66811ed3bbc826add93a17fc6aa8100fab0

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\ludashi.png

Filesize
5KB

MD5
0282e30bc48112f11627a483e78dd124

SHA1
6460cdbb7dd2aed8b30e9464a99795956c3dbce0

SHA256
8093c1eb88ed5a7b7675bab36660fec0e117f2aca99f11e4fbd81d1cd427ba6d

SHA512
5f0a2d8410dedd0212ca49673490d8989feb90eb67e27a79024abaf5fee4a34bc1f096df6ea411e93ffe294cf95c577b8dc2fe53b458d2b1800016aa5db3ac36

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\qq.png

Filesize
2KB

MD5
b8d42b63b5141833d50a18487ead6cd9

SHA1
e93a2dbb03fd100a416a0e40bae6df026212fa54

SHA256
21b6e0aaa12f17bca97a9b1fb2a09f64c4e5d9acb0627b1592a992a14a91bac4

SHA512
25262c4b4dda6eba9c471227bad9b0ef37e7919b1fa63ca78eb130cb5c47bad0e8353dca08c841f91cf9f7bfc337fc80e4f91498d1d3569000096ac27cfbae9d

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\qqlive.png

Filesize
4KB

MD5
e63bd655bb246c2f4759bdca204f5322

SHA1
0f98ff1124173c132610c1dacbef69a8185a6ce2

SHA256
11cc195bbad58e5ed664213e9110652a59b0dec86a23da862602e574bdbd6e25

SHA512
38f42bab2f12c967e2229c88dd09790bc61aacd7b830efc449dc51f6adc8a2e03db8cc82630be7509fc746d45a923ff1425f0c036cbbde75faaf0b5ec2cd5f87

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\tkpdf.png

Filesize
13KB

MD5
dabc90318d630cc6f24dd42100bd540e

SHA1
f08fb1e6345f7853496cc313ba86c7073e779586

SHA256
ea59535ed830c9211e81c7d9259e1eb8c68471153e15cf12a6577cedfc5bcc3f

SHA512
bf49caf27eb560c7203acd06bb43ac638fee432e9ca659847352f7adcaaa1cc51a73dec2c707e809782a0c5d0bb2663864e90eeb23da47a12bb0523e007e9c33

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\weixin.png

Filesize
2KB

MD5
e51545c9be43f92d156703c0f6de94eb

SHA1
dd90973171935f9db31ce26148c1c4852348e6e8

SHA256
faed4acd4a13a0295b2e93958c13e13ae6575bb0fe5c2b55027fa7ef56f8fa0b

SHA512
5b8ec6c59ac1367548d9ff47dd4b3a695558de07caca55fcfe5ad33b5df78a3da831216b8d01a6c135cdd56b6ff1a82b451491fe327924ff3e19092b7d43d3eb

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\Icon\yykt.png

Filesize
7KB

MD5
d23e3294e2c60e94f73f953262da537c

SHA1
dfa80b84e708ab158ebb8f2951359887132cced8

SHA256
3972f6390be332adc11a327e4a0f19c50c2d2a6095bdfa2b695afcc3d528882f

SHA512
d4133791ebfc1540c3f88f798b87a02e76ed33f58926ae8b20af02f2d030c3cf01c90da58ed9b3cd3b4d293925eb5fe70186d749e76b669ba07184fcb8322a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
1002B

MD5
8794a25614127697b15d1b2330ea50b5

SHA1
2c5cb64d1f005e9cf2ce01fb12556ede420c0fc4

SHA256
2e362ca5571517a3a874777edcdcd25f50fd1d0a89f6c7e92bbb734abaf80bc6

SHA512
5f52bb9d404ec09213227df2f048dfe564d3267f25c625bb5f3cf1bfab42ab6c209ed1f5a30ee9d675bef3d917d3e0ead2a74f23a55ad9fd781cb68403f9697d

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
1002B

MD5
8794a25614127697b15d1b2330ea50b5

SHA1
2c5cb64d1f005e9cf2ce01fb12556ede420c0fc4

SHA256
2e362ca5571517a3a874777edcdcd25f50fd1d0a89f6c7e92bbb734abaf80bc6

SHA512
5f52bb9d404ec09213227df2f048dfe564d3267f25c625bb5f3cf1bfab42ab6c209ed1f5a30ee9d675bef3d917d3e0ead2a74f23a55ad9fd781cb68403f9697d

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
424B

MD5
58aaccb98813052c10decfc6878ad896

SHA1
c7b792ca26aa6fe7b3e533f4cbe1c21091eddb96

SHA256
5649078df8ca1168f742655f84ac38672ab7edbc5236da1f0196debdf7fd76b0

SHA512
5c4d6804c87791a40c18a022acbe5a4115bbc96cb83699861861b3cf5b0ce48020ed2aa3e2ceb89bc76cfd3728c2a7469625a63cb1c76d8db989fa6ccffd5b09

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
564B

MD5
ffb9683aadf77d754d70271f0f6716ea

SHA1
9c7bffa1043eb8c8ecc995f73e447573be37c7e4

SHA256
f384d1098020974283433799ed49d562fca94e6f15f80d5a1b70bcf46402e18d

SHA512
3cc12987b0f7f5e9bbe88cc121337db4081ca97d5d7ee04ed6f35217d6ddb4cd1b4b5fbc827cc5229c8081be75fc461c77feabe0b3efd0246578cfa4b0b0ad03

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
564B

MD5
ffb9683aadf77d754d70271f0f6716ea

SHA1
9c7bffa1043eb8c8ecc995f73e447573be37c7e4

SHA256
f384d1098020974283433799ed49d562fca94e6f15f80d5a1b70bcf46402e18d

SHA512
3cc12987b0f7f5e9bbe88cc121337db4081ca97d5d7ee04ed6f35217d6ddb4cd1b4b5fbc827cc5229c8081be75fc461c77feabe0b3efd0246578cfa4b0b0ad03

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
628B

MD5
c39c9bfb8fe4f312ab4a62fef159e822

SHA1
760eba3cd99d0778fa075f946379877a3f876021

SHA256
56c92f795d86c775bce83810ac826f268220d044fce0261a99a58b5f9d7ef715

SHA512
ceee73823bfcb0274848e1695dce1cfe495164af698911c01ace7ce8c49e644eef80a34093e79e91455862ab1827b9806d63e3f88abc96d433fbfe721eb39f40

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
628B

MD5
c39c9bfb8fe4f312ab4a62fef159e822

SHA1
760eba3cd99d0778fa075f946379877a3f876021

SHA256
56c92f795d86c775bce83810ac826f268220d044fce0261a99a58b5f9d7ef715

SHA512
ceee73823bfcb0274848e1695dce1cfe495164af698911c01ace7ce8c49e644eef80a34093e79e91455862ab1827b9806d63e3f88abc96d433fbfe721eb39f40

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
879B

MD5
14a742b24380de01b49411b712e8ba38

SHA1
e99cc4b1eb09af2534a65e2c2b38a4743fe217e5

SHA256
440bc5199a0197fbb3cc5bb5b0bf082eeaa7465091c206f210dac06a58457c01

SHA512
6fe982871d8ffbfc9a3a0ef5451e8d1fc3462ace210276caea0366be11f27aed67e79007db94256ff2dc2b283b8503267dc538090e41f46eb960f995ac153a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
879B

MD5
303317fba59a46c40d84904be0f093ab

SHA1
8d5c9dc189569b50bbf40e7f23677f4ed8495fb2

SHA256
db8762275e2792abb1282380a22f40d5ccb1b12cc1df8a58406a7d944326d20d

SHA512
64e3dcf9c50e6380fbe9abec4958417424fccdca190a118ef2e579f2dfc9476594d63a428b7a209a0d36cc74487ead7d1a52ca5c7ba9f1a72ccfea22b2472e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
906B

MD5
89c62faca3032ed12ec4b985223d0321

SHA1
003efb0e20feae92874ad86cccbfefdf9ffd37a7

SHA256
2a91c466050da5b61a36925280b060f58fcbe77ec70ecc7db95cfe147966944c

SHA512
d8e472aca023b20db181af4f022751dc7f3c308714a069d91c4409b099a826a8b8993b9e340f05eafc805e647b43834ba4c320bb01cced977fc997355cc62591

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
906B

MD5
89c62faca3032ed12ec4b985223d0321

SHA1
003efb0e20feae92874ad86cccbfefdf9ffd37a7

SHA256
2a91c466050da5b61a36925280b060f58fcbe77ec70ecc7db95cfe147966944c

SHA512
d8e472aca023b20db181af4f022751dc7f3c308714a069d91c4409b099a826a8b8993b9e340f05eafc805e647b43834ba4c320bb01cced977fc997355cc62591

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

Filesize
176B

MD5
905738e818bf1c636fdecea7b4287b06

SHA1
11cb0b251edba09414bc11bbd7cb336d189bbbea

SHA256
a96bbb8148bd2f378b295924ed829a792d68824306078d2fed95bae6a7b37f11

SHA512
8c50cb6f07cf298a73a02c6196f0ee4a74b7d5b3f13d026e1b7cf021a8e243594190559d4f37bc63ab067f9743d75845245ee98ec49b215f0c65a6d2da79cf71

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\UseCache.ini

Filesize
214B

MD5
ca82d755db77659a3c01d9b5c9e9d1b8

SHA1
ad8bf0131890828433d9fc9bc95c967762cf4c9b

SHA256
207d38d2f8ca4ea521e5d3487a5b3ee88775a77e3e692c9575e082b50a5f3be1

SHA512
011bab92132335d32f3a0b2c113efa5ec3ca5c040c87d44be58363b7ea28ab8ddade376dbe0a9928cfe7e4c05c6af51e315d266c843bff3ab5b2b5b77c1d8cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\htdf.abf

Filesize
2.4MB

MD5
04393531cacad699dd1f5efd46faec3a

SHA1
67e417c03baf53e7770c6694757686c747b47617

SHA256
466e5c0dcf2f441d7c0fc659547659109ee2547299ba642cf9521dd3c1da4d85

SHA512
03bd7877deecf4fd9c707a50057abb6e1b48fbc6289b6d8a8a4765954497a19ba51504e0ec13bf4d04bf304d2cbc9cf978cfdd7ee86651bea9a39e23b23267c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF714903.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ebab978444ee98848b7192a699e6f71a

SHA1
9a7c723bee743fa208d959823a842b9fc4b3e631

SHA256
2eecbb7abb37b425bd5a4756c0e56200328036a1e699df3c62f836437f65a711

SHA512
7749bfced091c80df299d50ea8d298ab88cd11957ed3d8f11affc26cf11f0cf5c9dd9ed8731f71fb4f3bc6ad35a58360f4b37a1a0e8f54b0150af8a82892b424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
659643051f727201ce430fd4dcfa59dd

SHA1
455cd35ae811f3a59d296805145c162ee983e6fb

SHA256
e022d92e1ba7119f83e864b218bdc4f840d335bd8ed4efd6105053588b345742

SHA512
a8f9208ed7ba2d2093d24df6df47a1479472719deb352a9d862c96e32d88a01c6f3766ac1542f77c5641e1f16c04c3b47dcb31416817cf463fce64ea1fab0983

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\848rd575\dhjk.bce

Filesize
11.5MB

MD5
ec8eda88ce80e96d2c8110e8e9e46adf

SHA1
05607645a64283d92cd34e28873494d274798719

SHA256
f8683fa3e248cc7dfd17d541dde23366d5b05112b30442aba033abd671cc2524

SHA512
9ee23e2d5d5d5ce0e5a2d3b592cfc1bec1876dec605ccdbb7e4e5f74a9099948f9c0842a7506c9eafb9be90b12fe8b5eaa0267a51f496f8c6bc58adc9cd5e730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab79A5.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A54.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\Eleglate.ini

Filesize
214B

MD5
b9446101086bb81c55712b776da2d8dd

SHA1
b67997b34cd3f6910d9cb9203bcf0fbec40a9dae

SHA256
799e9907bfe53bca4dd7c6a6b803d7f89a99106a05407ce00ab66cabcde2be43

SHA512
eab7ccef10997649fbce843dd0def20e7b125af607946a339e1071ef1c0c74f6ea93ed4902446eb6d7e0f671ff27a415ea918e8bc17f9828d0a105b829095cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\Eleglate.ini

Filesize
267B

MD5
770e3140968284e100483f5671c6716e

SHA1
695277aad1772d28bd265cfc22c50e0be8816bc9

SHA256
164e884d37a1a4b6a2d54923ecc05591ac29bb9f8f9e4cacca32b6821252005c

SHA512
bf7f000190441d66cb42a74b3637d11f6d13ec0a102bd20c61eb3d77f6ad29bb3052de9fa11353c56c5e8af27857e16a1c25534ff9e241874dff5df5457e449c

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\Eleglate.ini

Filesize
331B

MD5
9fe3f9189fe5e730749b37f76a101db3

SHA1
8dbcc31a4ca3bd868102e1cc228196ed79396726

SHA256
80a20329d576f18b45eef471f18f4550cd58a13d96b0fa9430c4f4ad42c8fa69

SHA512
21c3331c097f675859e8900ac601183e7d9c83b4560f87f700c2287e701f3cc1e2e8945df0175ebc6756577d6b7b9a266ff2e6b6c0f1fa450943fe0b5e29e344

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\Eleglate.ini

Filesize
331B

MD5
9fe3f9189fe5e730749b37f76a101db3

SHA1
8dbcc31a4ca3bd868102e1cc228196ed79396726

SHA256
80a20329d576f18b45eef471f18f4550cd58a13d96b0fa9430c4f4ad42c8fa69

SHA512
21c3331c097f675859e8900ac601183e7d9c83b4560f87f700c2287e701f3cc1e2e8945df0175ebc6756577d6b7b9a266ff2e6b6c0f1fa450943fe0b5e29e344

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\Eleglate.ini

Filesize
331B

MD5
9fe3f9189fe5e730749b37f76a101db3

SHA1
8dbcc31a4ca3bd868102e1cc228196ed79396726

SHA256
80a20329d576f18b45eef471f18f4550cd58a13d96b0fa9430c4f4ad42c8fa69

SHA512
21c3331c097f675859e8900ac601183e7d9c83b4560f87f700c2287e701f3cc1e2e8945df0175ebc6756577d6b7b9a266ff2e6b6c0f1fa450943fe0b5e29e344

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\SoftConfig\a30666352098.bae

Filesize
759B

MD5
6cc4e04f12791ec20b1a3ad0e9ad4ef4

SHA1
447164ad93dc952f3033176d8223ba8b7fbfa780

SHA256
0e992a902a1b69dbb87198146ff856bd5cfc6c1da187da9aa33409f92481daaf

SHA512
37d595bd18388335345fcd14e0e80cb1f84d96eb7a5c523db71acbfc964c4e530185187ed9034e5e948a06d88fd1b500b6542efc7e52766ba4f4b44949a35a07

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\SoftConfig\xst.abf

Filesize
1.6MB

MD5
6da728dce51b467ec8fd6057bac07e68

SHA1
b92b28e759835c4e343188e6f4242ceb77b4a4b5

SHA256
bbe6dfd2d9ce3e0f4c727ff0e1354e2c7a9a53add6e90fcf1766a8552035bc48

SHA512
f838bae8371750df023a031df4c5815b12a883133af76b7dfbfab09fea4b70d10da4adfd23a055979d4f81dfba217333d2a3e246c2c551f2b612c5c353c56fc9

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe

Filesize
2.2MB

MD5
7333a527dbedff3be88294d07dd9e4a1

SHA1
6aeb844db20b0f440734bf53283e57619834db7a

SHA256
1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3

SHA512
12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe

Filesize
2.2MB

MD5
7333a527dbedff3be88294d07dd9e4a1

SHA1
6aeb844db20b0f440734bf53283e57619834db7a

SHA256
1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3

SHA512
12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe

Filesize
2.2MB

MD5
7333a527dbedff3be88294d07dd9e4a1

SHA1
6aeb844db20b0f440734bf53283e57619834db7a

SHA256
1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3

SHA512
12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580

Download Submit
C:\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe

Filesize
2.2MB

MD5
7333a527dbedff3be88294d07dd9e4a1

SHA1
6aeb844db20b0f440734bf53283e57619834db7a

SHA256
1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3

SHA512
12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580

Download Submit
C:\Users\Admin\Desktop\ShaShenRAT---- V100 -----.rar

Filesize
65.0MB

MD5
1e7e4e2c29b1c7fbdcb25145094e64a5

SHA1
666a14864f1ce6646d5255cbe4a165756fbfe99f

SHA256
41f6405ca0c653464d28694b3753edab6881c2854598c276390fb2e62a8c1821

SHA512
d211afb20dc87ed1b9fcbc3966ada0c0a3bc7222960b6ca053f2ebfe6ab910746c3a475b98590e7969121850ce89618da1aaac0ba424584ab48b44b9da8d2281

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14561BF7422BB6F70A9CB14F5AA8A7DA_8C07DDBFCA3A75E7CA10ADBEB58A3060

Filesize
727B

MD5
882636a73a8dba86a16b78c7a51d0b9f

SHA1
88d592c76c12f9fe93c76f08ce9d1f69da7d4def

SHA256
580ff35bf96b9f2ea253519d01e9416b2d94e17333b018e2e5afbefe7007d4f2

SHA512
bc1f5b6f69bee364fa5b70a394a5b01a59993a336d3ac573597017e8815a8b82382d860220436f3f4fd526145c937dd728185ba26e69d3e28b34ba0780df4f0a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
471B

MD5
3c82051f857b5a2569a8f06a197fad20

SHA1
9d89cb2a100654f0fffc00a6e03629e243776b1d

SHA256
b1852634fecbed93c7b1c06af5742f18a8a937e6a12b06403ff253963222e475

SHA512
fd1c280ff21d71cf8e0d99e332ba04bab7af59249403254997e48f35baa0077bdd0bed3ae38d076509f911a94717329f7dbfa1e64905a70655e891bb5ac99da7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14561BF7422BB6F70A9CB14F5AA8A7DA_8C07DDBFCA3A75E7CA10ADBEB58A3060

Filesize
438B

MD5
edecfb432b957c85e6450ff41595928d

SHA1
a061eb44fd8544eeba2851349a77ee90dbabdaea

SHA256
7fe57dea16872dc70f899dc931ac55cd4ed9d6711fd4686a538d59ada2aaebff

SHA512
8e02b40ff1ae8625b46bad1820481431b50f5b65aab86552a735a2b6ee0daa061a7dedc427237673f61de6278a4484ce8e99373a84f62efc95b1c9f6c1263ff5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_23FFFDCAABB8E63694AD1202ED02BF57

Filesize
430B

MD5
6ce9e651b7a03fdeeeec1250904d0e39

SHA1
b63e57b0944e9da302c02c58421c8ba61fb28b3c

SHA256
e62375058e6d4d0a90bb8dd55122e9f674b317e350a3a2ecf20ce2d3ce373a5a

SHA512
743bb34f9268f3007ec96faf0e599aadb18a5451d84e68da3e8da75d0bcdb88d957475767e04cce3e2c8ae182a534ceade32b986d955fcdce622e930bc16be72

Download Submit
C:\Windows\system32\WnAcelein64.dll

Filesize
264KB

MD5
1b900520d1c09713f2906f4c5b9d8615

SHA1
38f9967da362505caa4b8a02847288662752447d

SHA256
d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697

SHA512
ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12

Download Submit
\??\c:\users\admin\appdata\locallow\wannengsoftmanager\softconfig\SoftUse.ini

Filesize
637B

MD5
95728313088282106953394524f9bf67

SHA1
a508035f3b7eebaf5ae980a52689b773b42c9c83

SHA256
8c460c81b2eccc7ecbacf084a2f3d543e3b9aa399345706bd9727e08ce9fe880

SHA512
f9cff0fa4b7b35e34fa22bf1ab0a21d103f2ade57c7a9566e2c231df8a69b2804fa8ccc7fa771846bc0ae760e8e710a8f2a49568a1cb760003022cc48476a734

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\Eleglate.ini

Filesize
347B

MD5
19b25e29a7a30ca93e363fe002151d36

SHA1
9a2d8800c0cb04af27f573007e71987aa5d55e38

SHA256
722d3d1639d96c2e5746346a68fc260d0e6ce2a0221277ef723b144b356f147f

SHA512
6c208219962aee79d1b880fa955b31a47fc195b3ec3db6b21e930856f8928d182f1c03ea60edeb981bbc2688274be46a5e5fc037546d49345f9b7037b05c6d20

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\Eleglate.ini

Filesize
214B

MD5
b9446101086bb81c55712b776da2d8dd

SHA1
b67997b34cd3f6910d9cb9203bcf0fbec40a9dae

SHA256
799e9907bfe53bca4dd7c6a6b803d7f89a99106a05407ce00ab66cabcde2be43

SHA512
eab7ccef10997649fbce843dd0def20e7b125af607946a339e1071ef1c0c74f6ea93ed4902446eb6d7e0f671ff27a415ea918e8bc17f9828d0a105b829095cfa

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\Eleglate.ini

Filesize
214B

MD5
437ea74bf7938eb2499a769cf62aaa67

SHA1
34e4862deeb58d460f0b9e4ecb402f68617b543b

SHA256
f742b5766b34b3c4e93e235229bbdd5119ddb80097b28006432b67d56dc99c6b

SHA512
26f7acd3e2d87245bde351bdb5d8270f1be8acd91d0a29c8b1c4ab908b94c052ccee08dd7a970eb05f73c0c6bae868af2df412b4651e65c09332f8f3c58ee459

Download Submit
\??\c:\users\admin\appdata\roaming\restreful\wnsvdarme.dll

Filesize
2.2MB

MD5
2ea1bb79182e0832833828cf04288fbb

SHA1
3613dfa6fd8a15ad931db368fd4928d4836143e0

SHA256
b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801

SHA512
55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5

Download Submit
\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.5MB

MD5
30d04c3ac9a0a938f0742c504ad7b256

SHA1
46966a65cb4c4e74cd949bc2615776701564b67b

SHA256
5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103

SHA512
17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765

Download Submit
\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe

Filesize
4.5MB

MD5
30d04c3ac9a0a938f0742c504ad7b256

SHA1
46966a65cb4c4e74cd949bc2615776701564b67b

SHA256
5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103

SHA512
17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe

Filesize
7.1MB

MD5
14f78023f4a504ace87f681028eae4be

SHA1
8eb62dd9894adcd90bb080b7cb33bd9affc3c05f

SHA256
5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81

SHA512
24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998

Download Submit
\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe

Filesize
2.9MB

MD5
c962318702eac982494f55762d5358e5

SHA1
dfee67eec82c97614261ad826020e95b9183fa45

SHA256
bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac

SHA512
9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1

Download Submit
\Program Files (x86)\WanNengSoftManager\WnUninst.exe

Filesize
4.3MB

MD5
4c87ae53f9687a128563aa0bdd931e3a

SHA1
f08b3e12e5e3492a8b0f14e2230c0da4099f9a88

SHA256
dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5

SHA512
e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832

Download Submit
\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
cb099b500ceb0e2c123ceef14bd7183e

SHA1
7c7538b9bade66b4561bc14183b31deec50d0021

SHA256
bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592

SHA512
f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705

Download Submit
\Program Files (x86)\WanNengSoftManager\wke.dll

Filesize
11.2MB

MD5
cb099b500ceb0e2c123ceef14bd7183e

SHA1
7c7538b9bade66b4561bc14183b31deec50d0021

SHA256
bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592

SHA512
f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705

Download Submit
\Users\Admin\AppData\Roaming\Restreful\WnSvceous.exe

Filesize
2.2MB

MD5
7333a527dbedff3be88294d07dd9e4a1

SHA1
6aeb844db20b0f440734bf53283e57619834db7a

SHA256
1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3

SHA512
12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580

Download Submit
\Users\Admin\AppData\Roaming\Restreful\WnSvdarme.dll

Filesize
2.2MB

MD5
2ea1bb79182e0832833828cf04288fbb

SHA1
3613dfa6fd8a15ad931db368fd4928d4836143e0

SHA256
b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801

SHA512
55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5

Download Submit
\Windows\System32\WnAcelein64.dll

Filesize
264KB

MD5
1b900520d1c09713f2906f4c5b9d8615

SHA1
38f9967da362505caa4b8a02847288662752447d

SHA256
d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697

SHA512
ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12

Download Submit
memory/1212-385-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-80-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-211-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-199-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-182-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-97-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-54-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-136-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-135-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-433-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-457-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-470-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-568-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-395-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-560-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-558-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-64-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-383-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-386-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-387-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-91-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-87-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-82-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-212-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-78-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-77-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-76-0x0000000003F30000-0x0000000003F70000-memory.dmp

Filesize
256KB

Download
memory/1212-75-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-73-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-68-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-67-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-66-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-65-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1212-394-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-388-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-389-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1212-391-0x0000000010000000-0x0000000010537000-memory.dmp

Filesize
5.2MB

Download
memory/1396-552-0x0000000010000000-0x00000000102E6000-memory.dmp

Filesize
2.9MB

Download
memory/1396-561-0x0000000002440000-0x0000000002667000-memory.dmp

Filesize
2.2MB

Download
memory/1584-264-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1584-263-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1584-262-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1888-1025-0x0000000004790000-0x00000000047D0000-memory.dmp

Filesize
256KB

Download
memory/1888-1022-0x0000000004790000-0x00000000047D0000-memory.dmp

Filesize
256KB

Download
memory/1912-1041-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download