Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
19-05-2024 14:18
General
-
Target
689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe
-
Size
2.0MB
-
MD5
6036bd73dbef78a0bb21bace81ca703f
-
SHA1
59cb4799cafe00aba015c8a8eee53d3826e616d1
-
SHA256
689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9
-
SHA512
be5c11d73fd0c8edf0a1d89c79fd2847511efdc401fe057624c0de67a01d1047b2c76f636733d71c46557c4b6d855ec37694fccf368ee8057901662b4a38adfb
-
SSDEEP
49152:ZlqwRsD6EZq9NBN8EFWI6xuPFT4u6Dr1LJPMxi:ZlqwRsOEiTVFM2T4FDt
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe"C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Maps connected drives based on registry
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.iniFilesize
194B
MD58169df157e5aaa7814e19e4a312a8e6e
SHA19250c428993ae78da6f578af6ee968d632f14b32
SHA256d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812
SHA5126d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1
-
C:\Program Files (x86)\WanNengSoftManager\Icon\main.icoFilesize
197KB
MD5e1bd484966a645a7b456a67ed4a2677c
SHA1528d589847d60b41e5faa40c6ee5e1d361df0c55
SHA25687868f0c311ba96d5f8069b070a8309d2a54813535ae99d852cff44a23f626f6
SHA5128f76bc32ab178b056a7c01608e8a0596aa1784f290837a8f0b844f097a4170d3cf9ed400f9c27de1ccdc645e012a66f086069a922ed2de9bd28cda584cf57dbc
-
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.iniFilesize
213B
MD5c57382c6defdbeb93a01f9cfbf9ca847
SHA12980a4dbffb35150c6469285a0607f74614dc91d
SHA25615864dbea602ea534da59d356675e0aecfef7bbfec767225ecc5bcc19c7dcff2
SHA51219a8d689250519015ce24072c55b96cbb42d3dc5ec8c9aeb12c28211bba4298e3795c4aa09aac3f2ada79b651490b7417d41e538f37de518e81f5af613a8d9e4
-
C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dllFilesize
219KB
MD58e2c5d3c053319ed8d63483d256449bc
SHA1961dfe8155befb9947f58c84df4c4fb32623c911
SHA256a1cdb58efe50c9824776219541ec36fc9532f0dc68e6f95321bdf4c538387637
SHA51218b2e3b861db93b1ea1ac090791296aa25d1d2a6584b2624b982f044fb0142c4c413e134cc244d3b3273f90150ee7a22fda1a92bdb5f1f34bf95281579a8f042
-
C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dllFilesize
264KB
MD51b900520d1c09713f2906f4c5b9d8615
SHA138f9967da362505caa4b8a02847288662752447d
SHA256d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697
SHA512ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12
-
C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dllFilesize
426KB
MD57b77180aa387e2480811c118a30dd05e
SHA1159d07f6a313f130f046af392aaad50bab80eeb6
SHA256355943ed9b2bbb59ab4298b83d3a98290a42fcee87a1cd46e7c777161a09c106
SHA51290549e017e331761632f8b5fddecfba928401fce2a5afef5aee665f980d529666ffb36eb5bd5e9cec78b051b4d3bbfaa35f0b72b85cc706176b4a1b5422b6afb
-
C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dllFilesize
475KB
MD5d468405798b4794714b55d7acb5c337f
SHA16131ea842c69cb2cf0b8f1b1be1558168e023fb1
SHA256550994432a9ebce0b266a2d7892194e89d5aab4b2b6d7dae6b102fcdcb803c84
SHA512ca64de673d4a2f4fd63ed7347f7d9e0743c5ee5583563423429f1d19952f43cb91ee61e8b85f08731325700e92836d5d4026d79929b0e1811c25a6aa06e8ee1c
-
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exeFilesize
4.5MB
MD530d04c3ac9a0a938f0742c504ad7b256
SHA146966a65cb4c4e74cd949bc2615776701564b67b
SHA2565b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103
SHA51217ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765
-
C:\Program Files (x86)\WanNengSoftManager\WnFerous.dllFilesize
250KB
MD56b5253223698a88ea8393c0bb324aae8
SHA1df156ead59e070d232aa6488c8ce1d857617aa15
SHA2563ef4d209c611807a27b2e01298ef2651a25b01f389ef59c60997a019bf14c575
SHA512595aa7805198984cbcceffc71ad45d1fb4b6651987030a78dc703f0f0d575ddb7606c69fc5aa1e563a8d679f0b56b32c436b1a299f1f5e173d23d35e8ecc0a18
-
C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dllFilesize
303KB
MD5acd59a749f0e56a163bddc1f454f69b2
SHA108f05945d666c6e19e0e8eaf0ab14d26eaa424fd
SHA256c7fce5752658147e008cbfa8b39dfdb51615ff2c0e73866483bf829c375b8ce5
SHA512627b027abdd502738958bbf62fdf737cf8a0930e4ac5c54e4ef5d74e6493d196b69a6b3911518d115fbcf039868e16e88ba7b1d6c01d8a993c945e99bb6ab234
-
C:\Program Files (x86)\WanNengSoftManager\WnKernel.dllFilesize
2.7MB
MD5de11310bfdd3f2d2bf49201dd1914699
SHA14625d4d3bf4ece6599fbb1abd7357438c6d76ae5
SHA256b485275db6102a1c1fa41b8b260d35bbdb7600d6d1c32099c54b3b6750556699
SHA512ee91e6d5953207ed69b011ed06ed1fc95fcf86d392009802a6f4d080fbe306123c30cfc7a5e64839a51c5cd018a4e147dc3b962088a3a30ba2f0880ba59b437c
-
C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exeFilesize
2.3MB
MD5c9f30057628368706bcdc4cc1da5fc27
SHA18447d2ec544b4288c0eb4f0c913cdda8e475fc31
SHA25664b9caf38355a451b34e8a7d012fb7e60eb4b76fd98fe82c096e0e34268d7d51
SHA512c9135fca1f79531a5ff16c6a641dd110952f7b28958a245fc75a7ff2a8c8c271b4c2c95ba2f288909ffbfefca70c7c12f0a8ae0d763c69d5a93bc50b5ca35eb0
-
C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exeFilesize
2.4MB
MD51a8d6b945faa865f5c189bba5df42844
SHA110b7c7628a40a882de155722c2d7942734fe4901
SHA256de8eac7f944a6c99a894b74fa4327f765cb381d4745602f3acbbcf1c3a7ff5ab
SHA512579993711e6eba9a54f72a04f13209255e50656277dac9e0309ca77afec3acbe12ad3ccb4337afde70e2d5db7453a0ab557585e45da4699ebe03bf1d635777b6
-
C:\Program Files (x86)\WanNengSoftManager\WnQdX.tscFilesize
42KB
MD52c4fdced429b803305607ed171dff5bb
SHA1449000b216cbb472bc18b122c4fa516adb299a19
SHA256ce792fbac3c45906e948319f9e06d2854ee6ab580220f66c562cd75358b1a894
SHA512f499a42044774222c3221fde90b0c33617ff329b2d858e242a31f6f365c8b36a7628dca24c41d92cf2adfc36813ba5cb309f48c5ad616377b348124837784465
-
C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fesFilesize
39KB
MD5e220627df0f7912ca9abf9003e3536ac
SHA15dfade04a3a08d68f2937b89792c06db299eaa7e
SHA256844a4a6d945fbce245cde1f3edb7ed3c93b36b472a3a00c347d210c4e459f921
SHA512a69326f0ba5450f859308a9a1d44d7f021ac7209674274ddb8437ab885567f39cc4571f38b739ea731510c7755e3afd4923e28d20cbfdc162fd41c1920592c9e
-
C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tffFilesize
45KB
MD517758d686860dddfa39a0515829a23c6
SHA1f9efe7b295d31b3e8c359f8e3fe2e893fd0ebfce
SHA256241610908c9f40566296f34066195c0606b577595b84cfb282337b58e23d07e1
SHA512664f0a90c40d7789bef2e4866e96145d32d5dfafe329b6c62c54fe9bf367317ba5b69962454d62e4c94b9b9530df3d64d702bd54bac24ab380243ba6b6426a4b
-
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exeFilesize
7.1MB
MD514f78023f4a504ace87f681028eae4be
SHA18eb62dd9894adcd90bb080b7cb33bd9affc3c05f
SHA2565a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81
SHA51224f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998
-
C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exeFilesize
2.5MB
MD5db101c5d26f7d92064c6d3faaba20175
SHA1683afd3c7512886d0f4c5987deefafb5f396b573
SHA256f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5
SHA51207f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503
-
C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exeFilesize
2.2MB
MD57333a527dbedff3be88294d07dd9e4a1
SHA16aeb844db20b0f440734bf53283e57619834db7a
SHA2561ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3
SHA51212f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580
-
C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dllFilesize
2.2MB
MD52ea1bb79182e0832833828cf04288fbb
SHA13613dfa6fd8a15ad931db368fd4928d4836143e0
SHA256b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801
SHA51255f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5
-
C:\Program Files (x86)\WanNengSoftManager\WnTen3.fesFilesize
50KB
MD56a99dce0aa4798a921799231fb98d0b7
SHA1f986740992007f92ddb6db452a0d4ee7a3de3b3c
SHA25664cad370d5373313a05e71efc4d719b17b4801576356e693b47e4515fb64641a
SHA51231b684a3e72d36f6077f792257c4fd33ba79eb7a02e153b0898bfcaa64c8dac931b7ee7b371784b88b47a014fd744df2743388773444b82d25d65932b64d6eee
-
C:\Program Files (x86)\WanNengSoftManager\WnTen6.tffFilesize
55KB
MD539b59f56c7cdcc204ea2e2f44f0f11ba
SHA15a6b0fa4849b38fd75edb0b66c1e8fcd4f70b17a
SHA2565eccd83aa0e78f466a14fa4862d273eaa1999fed6cef6f451c6d7b829ea71388
SHA51288b8ccfc1989cb4eb365562240a96117e2cb90601f053e803bee1c10defd17323a10e946797bd721bae6b4d8255a03f06a04266010ae838657e37c06525b85b5
-
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exeFilesize
2.9MB
MD5c962318702eac982494f55762d5358e5
SHA1dfee67eec82c97614261ad826020e95b9183fa45
SHA256bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac
SHA5129f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1
-
C:\Program Files (x86)\WanNengSoftManager\WnUninst.exeFilesize
4.3MB
MD54c87ae53f9687a128563aa0bdd931e3a
SHA1f08b3e12e5e3492a8b0f14e2230c0da4099f9a88
SHA256dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5
SHA512e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832
-
C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exeFilesize
2.4MB
MD53003134f2f47ee73ea52bd7690854274
SHA15ef19e5392cb71a98186ca2fa3fafafc1a8fae12
SHA2566c51048d92d86081bd5323e2ce25734a2b5d0991585dcab95dd051b87204334b
SHA512d4ba9175b4a0e2a7b8ba377d731a0c76dadaaad254630bd62781fbf72339c8228c501e9ddad0f456b1de9beac40910f1f2a964d78064e457e6f1e88cf7864965
-
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exeFilesize
2.4MB
MD5a177078edd4918268d7c2f9b0ba086a0
SHA1c8229ded91155bfe0de7ed49fa6df988129f7064
SHA256c7459aeab6058396ccffb3e0b7cc45fbc39b90b86ec3c50accc4a5e10ff52edf
SHA512e6f9680b897266453706cd236324551ed69ef9aa5061a5c1c5ad45acce8fb635d09174c760ce998403261e774d3bff207d73d2a26e97b78d9c120cf735f069b3
-
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exeFilesize
2.4MB
MD5db553556e221b52c88a80b8005704737
SHA1a76664b31a66d6f117a50224010616a335fd8e21
SHA25698813ebe375289f2f514fa2064c5817f9bea0e89a91f16455918b46e42d7ed43
SHA5124647a12b9ca93a4fd0cab4df518e5b0a66a5c5984ade09db335905cdd9da89074572ad3011c9f4a14823a08653183ba6ab4cf799ff1dd10fc13f3346f9d7d71d
-
C:\Program Files (x86)\WanNengSoftManager\wke.dllFilesize
11.2MB
MD5cb099b500ceb0e2c123ceef14bd7183e
SHA17c7538b9bade66b4561bc14183b31deec50d0021
SHA256bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592
SHA512f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705
-
C:\Program Files (x86)\WanNengSoftManager\wndr.catFilesize
12KB
MD55d61437ee311a8aedc5af1d92b520a23
SHA14411b26ed712a63a6dd15d909e7c6c6d29d49400
SHA2567f784e9ffd1ea2e8b19ed583db8d395d643186a7f930234ee69fd71dcc208f3b
SHA512d0b1c5961e067693729546502255e91721e4a97e5413e76e9f19d73e774ff3f55ad89713f3b643c88e096958103536d600ef768e3eeca2d8a2b858b3953a8ff8
-
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.icoFilesize
194KB
MD59fd1679643ee825d340f58471a869fde
SHA12ac5b4f383d5fa10ad3fbbb30c6fe0654c8b8039
SHA2563c75eaa4dc66bc1cab8324f14a2f54a62a44ee050a7a6e925592921ebb48f8f5
SHA512d1a4cb08415493f7b10a6edb45f2fe30c7e4d8cb77fe29143887edaac5bf992146df61c412016c687ef4dd9e1b181c7328c0811314e3ebec7f19798cb5e75a79
-
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.icoFilesize
422KB
MD5e7065376abcdb34c3147162172c29ea7
SHA14608d48bb5476823116db94a0890f52f559eca39
SHA256ecb25a772f8e3db7027850aa646384d37190d9233dec18a9151201b0acb20c69
SHA5127119480da0cc16a7609a611c984c888589c722edc9d5d213a488b11426020a92402ea06be0a375bb2912661d73caa06d4a52243b8233fdec64af1f056a8b44c2
-
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.iniFilesize
89B
MD561bb67f9351d54580b31798aa7de628f
SHA166c42459f7b71441cdf43d77ebb7a80c58223105
SHA25638b5f5a340d987522ab4b62162da35ecff7fbbe922d795af8a204aa2e028d521
SHA512a0c82c0df097bda81da23dea9e9996c6824d8c2ec6df5f066e705bac26a72b674a5f20c1b73e374e56fab228f92dc4577901db8e63b72752590f1b418af5f152
-
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.iniFilesize
330B
MD5378f393d3a0220145bf7b929d3173652
SHA153c4f438858edbe2da3625f86da9d5513f9c763d
SHA256fd07976ef5bf90131fb416a584644e9dc78eb1d4101c75d47983947c0856aa6a
SHA5120a2dc4b914312d9a8c6b5ea71df86c172a8f75071a778a2f8fcf2eacc36a4c1232046444afc20ca7006437e7e32e2a32fbf5808fe4d493e62a298146e1cd8da2
-
C:\Users\Admin\AppData\Local\Temp\531rd532\dhjk.bceFilesize
11.5MB
MD5ec8eda88ce80e96d2c8110e8e9e46adf
SHA105607645a64283d92cd34e28873494d274798719
SHA256f8683fa3e248cc7dfd17d541dde23366d5b05112b30442aba033abd671cc2524
SHA5129ee23e2d5d5d5ce0e5a2d3b592cfc1bec1876dec605ccdbb7e4e5f74a9099948f9c0842a7506c9eafb9be90b12fe8b5eaa0267a51f496f8c6bc58adc9cd5e730
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ihxpxch.glf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
F:\qwomnw.exeFilesize
97KB
MD5cbc9bfc5e32e9e8b2479bf4acb62d693
SHA185a57a0b87f15f13a39a2dfb4942e7b6a930772f
SHA256efd4aef8b12302d8a651dfa1fcc9c8561b77f6501b74c09b3cb7d84024528cca
SHA512c48333ec1e9e6ee55f55506be93431dcf753201ee6e5237fcd3f93904e2775ad7ce5d86360a36ce09b926c9770b1de4abfb344b5e77cb18782aa5e99ca254601
-
memory/1864-26-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-67-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-60-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-9-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1864-65-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-8-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/1864-70-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-72-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-73-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-75-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-77-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-80-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-90-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/1864-53-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-109-0x0000000005FC0000-0x0000000005FD0000-memory.dmpFilesize
64KB
-
memory/1864-57-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-1-0x0000000000400000-0x0000000000607000-memory.dmpFilesize
2.0MB
-
memory/1864-51-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-48-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-49-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-3-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-5-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-0-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-10-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-11-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-55-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-21-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/1864-20-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-18-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-7-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-6-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-19-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-17-0x0000000000870000-0x0000000000872000-memory.dmpFilesize
8KB
-
memory/1864-4-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-62-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-22-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-58-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-23-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-24-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-54-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-25-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1864-36-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-47-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-46-0x0000000002490000-0x000000000354A000-memory.dmpFilesize
16.7MB
-
memory/1864-39-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-40-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-43-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-44-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-38-0x0000000010000000-0x0000000010537000-memory.dmpFilesize
5.2MB
-
memory/1864-37-0x0000000005FC0000-0x0000000005FD0000-memory.dmpFilesize
64KB
-
memory/3044-284-0x0000000007650000-0x000000000766A000-memory.dmpFilesize
104KB
-
memory/3044-281-0x0000000007510000-0x0000000007521000-memory.dmpFilesize
68KB
-
memory/3044-285-0x0000000007630000-0x0000000007638000-memory.dmpFilesize
32KB
-
memory/3044-262-0x0000000005FD0000-0x0000000005FEE000-memory.dmpFilesize
120KB
-
memory/3044-276-0x00000000071D0000-0x0000000007273000-memory.dmpFilesize
652KB
-
memory/3044-280-0x0000000007590000-0x0000000007626000-memory.dmpFilesize
600KB
-
memory/3044-277-0x0000000007950000-0x0000000007FCA000-memory.dmpFilesize
6.5MB
-
memory/3044-263-0x0000000006080000-0x00000000060CC000-memory.dmpFilesize
304KB
-
memory/3044-275-0x00000000071B0000-0x00000000071CE000-memory.dmpFilesize
120KB
-
memory/3044-278-0x0000000007310000-0x000000000732A000-memory.dmpFilesize
104KB
-
memory/3044-283-0x0000000007560000-0x0000000007574000-memory.dmpFilesize
80KB
-
memory/3044-264-0x00000000065B0000-0x00000000065E2000-memory.dmpFilesize
200KB
-
memory/3044-282-0x0000000007550000-0x000000000755E000-memory.dmpFilesize
56KB
-
memory/3044-261-0x0000000005AF0000-0x0000000005E44000-memory.dmpFilesize
3.3MB
-
memory/3044-250-0x0000000005860000-0x00000000058C6000-memory.dmpFilesize
408KB
-
memory/3044-251-0x0000000005980000-0x00000000059E6000-memory.dmpFilesize
408KB
-
memory/3044-249-0x0000000005780000-0x00000000057A2000-memory.dmpFilesize
136KB
-
memory/3044-248-0x0000000005150000-0x0000000005778000-memory.dmpFilesize
6.2MB
-
memory/3044-247-0x0000000004A10000-0x0000000004A46000-memory.dmpFilesize
216KB
-
memory/3044-279-0x0000000007380000-0x000000000738A000-memory.dmpFilesize
40KB
-
memory/3044-265-0x000000006F5C0000-0x000000006F60C000-memory.dmpFilesize
304KB