Analysis Overview
SHA256
689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9
Threat Level: Known bad
The file 689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9 was found to be: Known bad.
Malicious Activity Summary
Sality
UAC bypass
Windows security bypass
Modifies firewall policy service
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
UPX packed file
Windows security modification
Loads dropped DLL
Enumerates connected drives
Checks whether UAC is enabled
Checks installed software on the system
Maps connected drives based on registry
Drops autorun.inf file
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 14:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 14:18
Reported
2024-05-19 14:21
Platform
win7-20240508-en
Max time kernel
122s
Max time network
148s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Enumerates connected drives
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\ | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\f761e88 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe
"C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| US | 8.8.8.8:53 | ymflm.iwakaka.net | udp |
| US | 8.8.8.8:53 | dwoncdn.wtque.com | udp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 121.43.13.140:443 | dwoncdn.wtque.com | tcp |
| NL | 138.113.210.95:443 | wzhmg.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | jioge.iwakaka.net | udp |
| NL | 138.113.210.95:443 | jioge.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
Files
memory/2068-0-0x0000000000400000-0x0000000000607000-memory.dmp
memory/2068-2-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-1-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-5-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-8-0x0000000002050000-0x000000000310A000-memory.dmp
memory/1056-18-0x00000000005A0000-0x00000000005A2000-memory.dmp
memory/2068-6-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-31-0x00000000040B0000-0x00000000040B1000-memory.dmp
memory/2068-29-0x00000000040B0000-0x00000000040B1000-memory.dmp
memory/2068-7-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-10-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-33-0x0000000004060000-0x0000000004062000-memory.dmp
memory/2068-11-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-32-0x0000000004060000-0x0000000004062000-memory.dmp
memory/2068-12-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-9-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-28-0x0000000004060000-0x0000000004062000-memory.dmp
memory/2068-4-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-35-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-34-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-36-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-37-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-38-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-40-0x0000000004E70000-0x0000000004E71000-memory.dmp
memory/2068-41-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-47-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-48-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-53-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-54-0x00000000067F0000-0x0000000006830000-memory.dmp
memory/2068-55-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-56-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-61-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-58-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-64-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-63-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-66-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-67-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2068-69-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-70-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-80-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-106-0x0000000002050000-0x000000000310A000-memory.dmp
memory/2068-116-0x0000000004060000-0x0000000004062000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 182054581a5e70e61a780a6fd014f1bf |
| SHA1 | 75becfe61e27d2876756f0a3d867ed0f9146ed14 |
| SHA256 | b5e50ac531659d8cbb248c4be69600321c6f66acf67b2475ed645ebdfb640495 |
| SHA512 | e29cf271e9f7c6919be3d12aaeebdbbebddae30b3777457515bd5e3fa61a8cd2f67da96527ead8b8180f23f125765c6ef6807c2b09124a7337eac8539cb5c56c |
memory/2068-139-0x00000000067F0000-0x0000000006830000-memory.dmp
F:\ugqd.pif
| MD5 | 7dc2e9d983f9ab5f2cd994e09c8b816d |
| SHA1 | 682649d488fbc8563b9ca8993cd1356b322fe440 |
| SHA256 | bb210d8ae9aa020c9afd3de7af1ccc2ecb13621355d0d5ff40b16b8d7dda81a8 |
| SHA512 | ce8114e648f7a659f656fca583f14595c101f58d7c3542c634e10b29efc63d4a969f9fa76c92fd47352cdbe17673bcd7f7c62d193419e2f71fac5398f125093d |
C:\Users\Admin\AppData\Local\Temp\811rd797\dhjk.bce
| MD5 | ec8eda88ce80e96d2c8110e8e9e46adf |
| SHA1 | 05607645a64283d92cd34e28873494d274798719 |
| SHA256 | f8683fa3e248cc7dfd17d541dde23366d5b05112b30442aba033abd671cc2524 |
| SHA512 | 9ee23e2d5d5d5ce0e5a2d3b592cfc1bec1876dec605ccdbb7e4e5f74a9099948f9c0842a7506c9eafb9be90b12fe8b5eaa0267a51f496f8c6bc58adc9cd5e730 |
C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico
| MD5 | e1bd484966a645a7b456a67ed4a2677c |
| SHA1 | 528d589847d60b41e5faa40c6ee5e1d361df0c55 |
| SHA256 | 87868f0c311ba96d5f8069b070a8309d2a54813535ae99d852cff44a23f626f6 |
| SHA512 | 8f76bc32ab178b056a7c01608e8a0596aa1784f290837a8f0b844f097a4170d3cf9ed400f9c27de1ccdc645e012a66f086069a922ed2de9bd28cda584cf57dbc |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico
| MD5 | 9fd1679643ee825d340f58471a869fde |
| SHA1 | 2ac5b4f383d5fa10ad3fbbb30c6fe0654c8b8039 |
| SHA256 | 3c75eaa4dc66bc1cab8324f14a2f54a62a44ee050a7a6e925592921ebb48f8f5 |
| SHA512 | d1a4cb08415493f7b10a6edb45f2fe30c7e4d8cb77fe29143887edaac5bf992146df61c412016c687ef4dd9e1b181c7328c0811314e3ebec7f19798cb5e75a79 |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico
| MD5 | e7065376abcdb34c3147162172c29ea7 |
| SHA1 | 4608d48bb5476823116db94a0890f52f559eca39 |
| SHA256 | ecb25a772f8e3db7027850aa646384d37190d9233dec18a9151201b0acb20c69 |
| SHA512 | 7119480da0cc16a7609a611c984c888589c722edc9d5d213a488b11426020a92402ea06be0a375bb2912661d73caa06d4a52243b8233fdec64af1f056a8b44c2 |
\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
| MD5 | c962318702eac982494f55762d5358e5 |
| SHA1 | dfee67eec82c97614261ad826020e95b9183fa45 |
| SHA256 | bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac |
| SHA512 | 9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1 |
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 6453b0577c66bee62796c33f61020273 |
| SHA1 | 4c20b7b9ad1519c32fbd552629f533e189d813b2 |
| SHA256 | 1f51ade2eedd2734f0517b8d9a8ebaba4595adfd97ca4063d713f62ad544a8e5 |
| SHA512 | d18145426ad9b0db3678a43c8a7466cbdc9915e05f305600b2086a4f6ef13d363ba47eb58aa627d17c989a7143c54aa732c6d9bba584586600170072c0b72603 |
C:\Program Files (x86)\WanNengSoftManager\wke.dll
| MD5 | cb099b500ceb0e2c123ceef14bd7183e |
| SHA1 | 7c7538b9bade66b4561bc14183b31deec50d0021 |
| SHA256 | bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592 |
| SHA512 | f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705 |
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe
| MD5 | 30d04c3ac9a0a938f0742c504ad7b256 |
| SHA1 | 46966a65cb4c4e74cd949bc2615776701564b67b |
| SHA256 | 5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103 |
| SHA512 | 17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765 |
C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe
| MD5 | 3003134f2f47ee73ea52bd7690854274 |
| SHA1 | 5ef19e5392cb71a98186ca2fa3fafafc1a8fae12 |
| SHA256 | 6c51048d92d86081bd5323e2ce25734a2b5d0991585dcab95dd051b87204334b |
| SHA512 | d4ba9175b4a0e2a7b8ba377d731a0c76dadaaad254630bd62781fbf72339c8228c501e9ddad0f456b1de9beac40910f1f2a964d78064e457e6f1e88cf7864965 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll
| MD5 | acd59a749f0e56a163bddc1f454f69b2 |
| SHA1 | 08f05945d666c6e19e0e8eaf0ab14d26eaa424fd |
| SHA256 | c7fce5752658147e008cbfa8b39dfdb51615ff2c0e73866483bf829c375b8ce5 |
| SHA512 | 627b027abdd502738958bbf62fdf737cf8a0930e4ac5c54e4ef5d74e6493d196b69a6b3911518d115fbcf039868e16e88ba7b1d6c01d8a993c945e99bb6ab234 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll
| MD5 | 6b5253223698a88ea8393c0bb324aae8 |
| SHA1 | df156ead59e070d232aa6488c8ce1d857617aa15 |
| SHA256 | 3ef4d209c611807a27b2e01298ef2651a25b01f389ef59c60997a019bf14c575 |
| SHA512 | 595aa7805198984cbcceffc71ad45d1fb4b6651987030a78dc703f0f0d575ddb7606c69fc5aa1e563a8d679f0b56b32c436b1a299f1f5e173d23d35e8ecc0a18 |
C:\Program Files (x86)\WanNengSoftManager\wndr.cat
| MD5 | 5d61437ee311a8aedc5af1d92b520a23 |
| SHA1 | 4411b26ed712a63a6dd15d909e7c6c6d29d49400 |
| SHA256 | 7f784e9ffd1ea2e8b19ed583db8d395d643186a7f930234ee69fd71dcc208f3b |
| SHA512 | d0b1c5961e067693729546502255e91721e4a97e5413e76e9f19d73e774ff3f55ad89713f3b643c88e096958103536d600ef768e3eeca2d8a2b858b3953a8ff8 |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll
| MD5 | d468405798b4794714b55d7acb5c337f |
| SHA1 | 6131ea842c69cb2cf0b8f1b1be1558168e023fb1 |
| SHA256 | 550994432a9ebce0b266a2d7892194e89d5aab4b2b6d7dae6b102fcdcb803c84 |
| SHA512 | ca64de673d4a2f4fd63ed7347f7d9e0743c5ee5583563423429f1d19952f43cb91ee61e8b85f08731325700e92836d5d4026d79929b0e1811c25a6aa06e8ee1c |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll
| MD5 | 7b77180aa387e2480811c118a30dd05e |
| SHA1 | 159d07f6a313f130f046af392aaad50bab80eeb6 |
| SHA256 | 355943ed9b2bbb59ab4298b83d3a98290a42fcee87a1cd46e7c777161a09c106 |
| SHA512 | 90549e017e331761632f8b5fddecfba928401fce2a5afef5aee665f980d529666ffb36eb5bd5e9cec78b051b4d3bbfaa35f0b72b85cc706176b4a1b5422b6afb |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll
| MD5 | 1b900520d1c09713f2906f4c5b9d8615 |
| SHA1 | 38f9967da362505caa4b8a02847288662752447d |
| SHA256 | d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697 |
| SHA512 | ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12 |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll
| MD5 | 8e2c5d3c053319ed8d63483d256449bc |
| SHA1 | 961dfe8155befb9947f58c84df4c4fb32623c911 |
| SHA256 | a1cdb58efe50c9824776219541ec36fc9532f0dc68e6f95321bdf4c538387637 |
| SHA512 | 18b2e3b861db93b1ea1ac090791296aa25d1d2a6584b2624b982f044fb0142c4c413e134cc244d3b3273f90150ee7a22fda1a92bdb5f1f34bf95281579a8f042 |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe
| MD5 | a177078edd4918268d7c2f9b0ba086a0 |
| SHA1 | c8229ded91155bfe0de7ed49fa6df988129f7064 |
| SHA256 | c7459aeab6058396ccffb3e0b7cc45fbc39b90b86ec3c50accc4a5e10ff52edf |
| SHA512 | e6f9680b897266453706cd236324551ed69ef9aa5061a5c1c5ad45acce8fb635d09174c760ce998403261e774d3bff207d73d2a26e97b78d9c120cf735f069b3 |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe
| MD5 | db553556e221b52c88a80b8005704737 |
| SHA1 | a76664b31a66d6f117a50224010616a335fd8e21 |
| SHA256 | 98813ebe375289f2f514fa2064c5817f9bea0e89a91f16455918b46e42d7ed43 |
| SHA512 | 4647a12b9ca93a4fd0cab4df518e5b0a66a5c5984ade09db335905cdd9da89074572ad3011c9f4a14823a08653183ba6ab4cf799ff1dd10fc13f3346f9d7d71d |
C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc
| MD5 | 2c4fdced429b803305607ed171dff5bb |
| SHA1 | 449000b216cbb472bc18b122c4fa516adb299a19 |
| SHA256 | ce792fbac3c45906e948319f9e06d2854ee6ab580220f66c562cd75358b1a894 |
| SHA512 | f499a42044774222c3221fde90b0c33617ff329b2d858e242a31f6f365c8b36a7628dca24c41d92cf2adfc36813ba5cb309f48c5ad616377b348124837784465 |
C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes
| MD5 | e220627df0f7912ca9abf9003e3536ac |
| SHA1 | 5dfade04a3a08d68f2937b89792c06db299eaa7e |
| SHA256 | 844a4a6d945fbce245cde1f3edb7ed3c93b36b472a3a00c347d210c4e459f921 |
| SHA512 | a69326f0ba5450f859308a9a1d44d7f021ac7209674274ddb8437ab885567f39cc4571f38b739ea731510c7755e3afd4923e28d20cbfdc162fd41c1920592c9e |
C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe
| MD5 | 1a8d6b945faa865f5c189bba5df42844 |
| SHA1 | 10b7c7628a40a882de155722c2d7942734fe4901 |
| SHA256 | de8eac7f944a6c99a894b74fa4327f765cb381d4745602f3acbbcf1c3a7ff5ab |
| SHA512 | 579993711e6eba9a54f72a04f13209255e50656277dac9e0309ca77afec3acbe12ad3ccb4337afde70e2d5db7453a0ab557585e45da4699ebe03bf1d635777b6 |
C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe
| MD5 | c9f30057628368706bcdc4cc1da5fc27 |
| SHA1 | 8447d2ec544b4288c0eb4f0c913cdda8e475fc31 |
| SHA256 | 64b9caf38355a451b34e8a7d012fb7e60eb4b76fd98fe82c096e0e34268d7d51 |
| SHA512 | c9135fca1f79531a5ff16c6a641dd110952f7b28958a245fc75a7ff2a8c8c271b4c2c95ba2f288909ffbfefca70c7c12f0a8ae0d763c69d5a93bc50b5ca35eb0 |
C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll
| MD5 | de11310bfdd3f2d2bf49201dd1914699 |
| SHA1 | 4625d4d3bf4ece6599fbb1abd7357438c6d76ae5 |
| SHA256 | b485275db6102a1c1fa41b8b260d35bbdb7600d6d1c32099c54b3b6750556699 |
| SHA512 | ee91e6d5953207ed69b011ed06ed1fc95fcf86d392009802a6f4d080fbe306123c30cfc7a5e64839a51c5cd018a4e147dc3b962088a3a30ba2f0880ba59b437c |
C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff
| MD5 | 17758d686860dddfa39a0515829a23c6 |
| SHA1 | f9efe7b295d31b3e8c359f8e3fe2e893fd0ebfce |
| SHA256 | 241610908c9f40566296f34066195c0606b577595b84cfb282337b58e23d07e1 |
| SHA512 | 664f0a90c40d7789bef2e4866e96145d32d5dfafe329b6c62c54fe9bf367317ba5b69962454d62e4c94b9b9530df3d64d702bd54bac24ab380243ba6b6426a4b |
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
| MD5 | 14f78023f4a504ace87f681028eae4be |
| SHA1 | 8eb62dd9894adcd90bb080b7cb33bd9affc3c05f |
| SHA256 | 5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81 |
| SHA512 | 24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998 |
C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe
| MD5 | 7333a527dbedff3be88294d07dd9e4a1 |
| SHA1 | 6aeb844db20b0f440734bf53283e57619834db7a |
| SHA256 | 1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3 |
| SHA512 | 12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580 |
C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll
| MD5 | 2ea1bb79182e0832833828cf04288fbb |
| SHA1 | 3613dfa6fd8a15ad931db368fd4928d4836143e0 |
| SHA256 | b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801 |
| SHA512 | 55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5 |
C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe
| MD5 | db101c5d26f7d92064c6d3faaba20175 |
| SHA1 | 683afd3c7512886d0f4c5987deefafb5f396b573 |
| SHA256 | f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5 |
| SHA512 | 07f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503 |
C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff
| MD5 | 39b59f56c7cdcc204ea2e2f44f0f11ba |
| SHA1 | 5a6b0fa4849b38fd75edb0b66c1e8fcd4f70b17a |
| SHA256 | 5eccd83aa0e78f466a14fa4862d273eaa1999fed6cef6f451c6d7b829ea71388 |
| SHA512 | 88b8ccfc1989cb4eb365562240a96117e2cb90601f053e803bee1c10defd17323a10e946797bd721bae6b4d8255a03f06a04266010ae838657e37c06525b85b5 |
C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe
| MD5 | 4c87ae53f9687a128563aa0bdd931e3a |
| SHA1 | f08b3e12e5e3492a8b0f14e2230c0da4099f9a88 |
| SHA256 | dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5 |
| SHA512 | e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832 |
C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes
| MD5 | 6a99dce0aa4798a921799231fb98d0b7 |
| SHA1 | f986740992007f92ddb6db452a0d4ee7a3de3b3c |
| SHA256 | 64cad370d5373313a05e71efc4d719b17b4801576356e693b47e4515fb64641a |
| SHA512 | 31b684a3e72d36f6077f792257c4fd33ba79eb7a02e153b0898bfcaa64c8dac931b7ee7b371784b88b47a014fd744df2743388773444b82d25d65932b64d6eee |
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 8169df157e5aaa7814e19e4a312a8e6e |
| SHA1 | 9250c428993ae78da6f578af6ee968d632f14b32 |
| SHA256 | d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812 |
| SHA512 | 6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1 |
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 3513b038fdfb90f928f6090bcf56adf0 |
| SHA1 | 78a9c17eb7b0cb35e8c5cc7598d5cc03d4523964 |
| SHA256 | 66df60b43e58d66d8c8f7f996515f0873455af7cc6b65c4a77688d31b6c60a74 |
| SHA512 | a58d6fc687575abf86c526280ed9f21b917f7e22ef841d29fb247680b0945890db3d9cd53714bdaf6f926930108317240d2cf83621ce1c1b99d90c006c2eb8de |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 14:18
Reported
2024-05-19 14:21
Platform
win10v2004-20240426-en
Max time kernel
122s
Max time network
149s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Enumerates connected drives
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\ | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\e572887 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe
"C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.210.113.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ymflm.iwakaka.net | udp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| US | 8.8.8.8:53 | dwoncdn.wtque.com | udp |
| NL | 138.113.210.95:443 | wzhmg.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CN | 121.43.13.140:443 | dwoncdn.wtque.com | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| GB | 20.49.150.241:443 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 20.49.150.241:443 | tcp | |
| GB | 20.49.150.241:443 | tcp | |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | jioge.iwakaka.net | udp |
| NL | 138.113.210.95:443 | jioge.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
Files
memory/1864-1-0x0000000000400000-0x0000000000607000-memory.dmp
memory/1864-9-0x0000000002460000-0x0000000002461000-memory.dmp
memory/1864-8-0x0000000000870000-0x0000000000872000-memory.dmp
memory/1864-3-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-5-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-0-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-10-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-11-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-21-0x0000000000870000-0x0000000000872000-memory.dmp
memory/1864-20-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-18-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-7-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-6-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-19-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-17-0x0000000000870000-0x0000000000872000-memory.dmp
memory/1864-4-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-22-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-23-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-24-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-26-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-25-0x0000000002470000-0x0000000002471000-memory.dmp
memory/1864-36-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-37-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
memory/1864-38-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-44-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-43-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-40-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-39-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-46-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-47-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-49-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-48-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-51-0x0000000010000000-0x0000000010537000-memory.dmp
memory/1864-53-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-54-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-55-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-57-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-58-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-60-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-62-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-65-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-67-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-70-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-72-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-73-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-75-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-77-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-80-0x0000000002490000-0x000000000354A000-memory.dmp
memory/1864-90-0x0000000000870000-0x0000000000872000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 61bb67f9351d54580b31798aa7de628f |
| SHA1 | 66c42459f7b71441cdf43d77ebb7a80c58223105 |
| SHA256 | 38b5f5a340d987522ab4b62162da35ecff7fbbe922d795af8a204aa2e028d521 |
| SHA512 | a0c82c0df097bda81da23dea9e9996c6824d8c2ec6df5f066e705bac26a72b674a5f20c1b73e374e56fab228f92dc4577901db8e63b72752590f1b418af5f152 |
memory/1864-109-0x0000000005FC0000-0x0000000005FD0000-memory.dmp
F:\qwomnw.exe
| MD5 | cbc9bfc5e32e9e8b2479bf4acb62d693 |
| SHA1 | 85a57a0b87f15f13a39a2dfb4942e7b6a930772f |
| SHA256 | efd4aef8b12302d8a651dfa1fcc9c8561b77f6501b74c09b3cb7d84024528cca |
| SHA512 | c48333ec1e9e6ee55f55506be93431dcf753201ee6e5237fcd3f93904e2775ad7ce5d86360a36ce09b926c9770b1de4abfb344b5e77cb18782aa5e99ca254601 |
C:\Users\Admin\AppData\Local\Temp\531rd532\dhjk.bce
| MD5 | ec8eda88ce80e96d2c8110e8e9e46adf |
| SHA1 | 05607645a64283d92cd34e28873494d274798719 |
| SHA256 | f8683fa3e248cc7dfd17d541dde23366d5b05112b30442aba033abd671cc2524 |
| SHA512 | 9ee23e2d5d5d5ce0e5a2d3b592cfc1bec1876dec605ccdbb7e4e5f74a9099948f9c0842a7506c9eafb9be90b12fe8b5eaa0267a51f496f8c6bc58adc9cd5e730 |
C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico
| MD5 | e1bd484966a645a7b456a67ed4a2677c |
| SHA1 | 528d589847d60b41e5faa40c6ee5e1d361df0c55 |
| SHA256 | 87868f0c311ba96d5f8069b070a8309d2a54813535ae99d852cff44a23f626f6 |
| SHA512 | 8f76bc32ab178b056a7c01608e8a0596aa1784f290837a8f0b844f097a4170d3cf9ed400f9c27de1ccdc645e012a66f086069a922ed2de9bd28cda584cf57dbc |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico
| MD5 | 9fd1679643ee825d340f58471a869fde |
| SHA1 | 2ac5b4f383d5fa10ad3fbbb30c6fe0654c8b8039 |
| SHA256 | 3c75eaa4dc66bc1cab8324f14a2f54a62a44ee050a7a6e925592921ebb48f8f5 |
| SHA512 | d1a4cb08415493f7b10a6edb45f2fe30c7e4d8cb77fe29143887edaac5bf992146df61c412016c687ef4dd9e1b181c7328c0811314e3ebec7f19798cb5e75a79 |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico
| MD5 | e7065376abcdb34c3147162172c29ea7 |
| SHA1 | 4608d48bb5476823116db94a0890f52f559eca39 |
| SHA256 | ecb25a772f8e3db7027850aa646384d37190d9233dec18a9151201b0acb20c69 |
| SHA512 | 7119480da0cc16a7609a611c984c888589c722edc9d5d213a488b11426020a92402ea06be0a375bb2912661d73caa06d4a52243b8233fdec64af1f056a8b44c2 |
memory/3044-247-0x0000000004A10000-0x0000000004A46000-memory.dmp
memory/3044-248-0x0000000005150000-0x0000000005778000-memory.dmp
memory/3044-249-0x0000000005780000-0x00000000057A2000-memory.dmp
memory/3044-251-0x0000000005980000-0x00000000059E6000-memory.dmp
memory/3044-250-0x0000000005860000-0x00000000058C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ihxpxch.glf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3044-261-0x0000000005AF0000-0x0000000005E44000-memory.dmp
memory/3044-262-0x0000000005FD0000-0x0000000005FEE000-memory.dmp
memory/3044-263-0x0000000006080000-0x00000000060CC000-memory.dmp
memory/3044-264-0x00000000065B0000-0x00000000065E2000-memory.dmp
memory/3044-265-0x000000006F5C0000-0x000000006F60C000-memory.dmp
memory/3044-275-0x00000000071B0000-0x00000000071CE000-memory.dmp
memory/3044-276-0x00000000071D0000-0x0000000007273000-memory.dmp
memory/3044-277-0x0000000007950000-0x0000000007FCA000-memory.dmp
memory/3044-278-0x0000000007310000-0x000000000732A000-memory.dmp
memory/3044-279-0x0000000007380000-0x000000000738A000-memory.dmp
memory/3044-280-0x0000000007590000-0x0000000007626000-memory.dmp
memory/3044-281-0x0000000007510000-0x0000000007521000-memory.dmp
memory/3044-282-0x0000000007550000-0x000000000755E000-memory.dmp
memory/3044-283-0x0000000007560000-0x0000000007574000-memory.dmp
memory/3044-284-0x0000000007650000-0x000000000766A000-memory.dmp
memory/3044-285-0x0000000007630000-0x0000000007638000-memory.dmp
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
| MD5 | c962318702eac982494f55762d5358e5 |
| SHA1 | dfee67eec82c97614261ad826020e95b9183fa45 |
| SHA256 | bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac |
| SHA512 | 9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1 |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll
| MD5 | 7b77180aa387e2480811c118a30dd05e |
| SHA1 | 159d07f6a313f130f046af392aaad50bab80eeb6 |
| SHA256 | 355943ed9b2bbb59ab4298b83d3a98290a42fcee87a1cd46e7c777161a09c106 |
| SHA512 | 90549e017e331761632f8b5fddecfba928401fce2a5afef5aee665f980d529666ffb36eb5bd5e9cec78b051b4d3bbfaa35f0b72b85cc706176b4a1b5422b6afb |
C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll
| MD5 | acd59a749f0e56a163bddc1f454f69b2 |
| SHA1 | 08f05945d666c6e19e0e8eaf0ab14d26eaa424fd |
| SHA256 | c7fce5752658147e008cbfa8b39dfdb51615ff2c0e73866483bf829c375b8ce5 |
| SHA512 | 627b027abdd502738958bbf62fdf737cf8a0930e4ac5c54e4ef5d74e6493d196b69a6b3911518d115fbcf039868e16e88ba7b1d6c01d8a993c945e99bb6ab234 |
C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc
| MD5 | 2c4fdced429b803305607ed171dff5bb |
| SHA1 | 449000b216cbb472bc18b122c4fa516adb299a19 |
| SHA256 | ce792fbac3c45906e948319f9e06d2854ee6ab580220f66c562cd75358b1a894 |
| SHA512 | f499a42044774222c3221fde90b0c33617ff329b2d858e242a31f6f365c8b36a7628dca24c41d92cf2adfc36813ba5cb309f48c5ad616377b348124837784465 |
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 8169df157e5aaa7814e19e4a312a8e6e |
| SHA1 | 9250c428993ae78da6f578af6ee968d632f14b32 |
| SHA256 | d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812 |
| SHA512 | 6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1 |
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 378f393d3a0220145bf7b929d3173652 |
| SHA1 | 53c4f438858edbe2da3625f86da9d5513f9c763d |
| SHA256 | fd07976ef5bf90131fb416a584644e9dc78eb1d4101c75d47983947c0856aa6a |
| SHA512 | 0a2dc4b914312d9a8c6b5ea71df86c172a8f75071a778a2f8fcf2eacc36a4c1232046444afc20ca7006437e7e32e2a32fbf5808fe4d493e62a298146e1cd8da2 |
C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe
| MD5 | 4c87ae53f9687a128563aa0bdd931e3a |
| SHA1 | f08b3e12e5e3492a8b0f14e2230c0da4099f9a88 |
| SHA256 | dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5 |
| SHA512 | e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832 |
C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff
| MD5 | 39b59f56c7cdcc204ea2e2f44f0f11ba |
| SHA1 | 5a6b0fa4849b38fd75edb0b66c1e8fcd4f70b17a |
| SHA256 | 5eccd83aa0e78f466a14fa4862d273eaa1999fed6cef6f451c6d7b829ea71388 |
| SHA512 | 88b8ccfc1989cb4eb365562240a96117e2cb90601f053e803bee1c10defd17323a10e946797bd721bae6b4d8255a03f06a04266010ae838657e37c06525b85b5 |
C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes
| MD5 | 6a99dce0aa4798a921799231fb98d0b7 |
| SHA1 | f986740992007f92ddb6db452a0d4ee7a3de3b3c |
| SHA256 | 64cad370d5373313a05e71efc4d719b17b4801576356e693b47e4515fb64641a |
| SHA512 | 31b684a3e72d36f6077f792257c4fd33ba79eb7a02e153b0898bfcaa64c8dac931b7ee7b371784b88b47a014fd744df2743388773444b82d25d65932b64d6eee |
C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll
| MD5 | 2ea1bb79182e0832833828cf04288fbb |
| SHA1 | 3613dfa6fd8a15ad931db368fd4928d4836143e0 |
| SHA256 | b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801 |
| SHA512 | 55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5 |
C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe
| MD5 | 7333a527dbedff3be88294d07dd9e4a1 |
| SHA1 | 6aeb844db20b0f440734bf53283e57619834db7a |
| SHA256 | 1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3 |
| SHA512 | 12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580 |
C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe
| MD5 | db101c5d26f7d92064c6d3faaba20175 |
| SHA1 | 683afd3c7512886d0f4c5987deefafb5f396b573 |
| SHA256 | f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5 |
| SHA512 | 07f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503 |
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
| MD5 | 14f78023f4a504ace87f681028eae4be |
| SHA1 | 8eb62dd9894adcd90bb080b7cb33bd9affc3c05f |
| SHA256 | 5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81 |
| SHA512 | 24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998 |
C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff
| MD5 | 17758d686860dddfa39a0515829a23c6 |
| SHA1 | f9efe7b295d31b3e8c359f8e3fe2e893fd0ebfce |
| SHA256 | 241610908c9f40566296f34066195c0606b577595b84cfb282337b58e23d07e1 |
| SHA512 | 664f0a90c40d7789bef2e4866e96145d32d5dfafe329b6c62c54fe9bf367317ba5b69962454d62e4c94b9b9530df3d64d702bd54bac24ab380243ba6b6426a4b |
C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes
| MD5 | e220627df0f7912ca9abf9003e3536ac |
| SHA1 | 5dfade04a3a08d68f2937b89792c06db299eaa7e |
| SHA256 | 844a4a6d945fbce245cde1f3edb7ed3c93b36b472a3a00c347d210c4e459f921 |
| SHA512 | a69326f0ba5450f859308a9a1d44d7f021ac7209674274ddb8437ab885567f39cc4571f38b739ea731510c7755e3afd4923e28d20cbfdc162fd41c1920592c9e |
C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe
| MD5 | 1a8d6b945faa865f5c189bba5df42844 |
| SHA1 | 10b7c7628a40a882de155722c2d7942734fe4901 |
| SHA256 | de8eac7f944a6c99a894b74fa4327f765cb381d4745602f3acbbcf1c3a7ff5ab |
| SHA512 | 579993711e6eba9a54f72a04f13209255e50656277dac9e0309ca77afec3acbe12ad3ccb4337afde70e2d5db7453a0ab557585e45da4699ebe03bf1d635777b6 |
C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe
| MD5 | c9f30057628368706bcdc4cc1da5fc27 |
| SHA1 | 8447d2ec544b4288c0eb4f0c913cdda8e475fc31 |
| SHA256 | 64b9caf38355a451b34e8a7d012fb7e60eb4b76fd98fe82c096e0e34268d7d51 |
| SHA512 | c9135fca1f79531a5ff16c6a641dd110952f7b28958a245fc75a7ff2a8c8c271b4c2c95ba2f288909ffbfefca70c7c12f0a8ae0d763c69d5a93bc50b5ca35eb0 |
C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll
| MD5 | de11310bfdd3f2d2bf49201dd1914699 |
| SHA1 | 4625d4d3bf4ece6599fbb1abd7357438c6d76ae5 |
| SHA256 | b485275db6102a1c1fa41b8b260d35bbdb7600d6d1c32099c54b3b6750556699 |
| SHA512 | ee91e6d5953207ed69b011ed06ed1fc95fcf86d392009802a6f4d080fbe306123c30cfc7a5e64839a51c5cd018a4e147dc3b962088a3a30ba2f0880ba59b437c |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe
| MD5 | db553556e221b52c88a80b8005704737 |
| SHA1 | a76664b31a66d6f117a50224010616a335fd8e21 |
| SHA256 | 98813ebe375289f2f514fa2064c5817f9bea0e89a91f16455918b46e42d7ed43 |
| SHA512 | 4647a12b9ca93a4fd0cab4df518e5b0a66a5c5984ade09db335905cdd9da89074572ad3011c9f4a14823a08653183ba6ab4cf799ff1dd10fc13f3346f9d7d71d |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe
| MD5 | a177078edd4918268d7c2f9b0ba086a0 |
| SHA1 | c8229ded91155bfe0de7ed49fa6df988129f7064 |
| SHA256 | c7459aeab6058396ccffb3e0b7cc45fbc39b90b86ec3c50accc4a5e10ff52edf |
| SHA512 | e6f9680b897266453706cd236324551ed69ef9aa5061a5c1c5ad45acce8fb635d09174c760ce998403261e774d3bff207d73d2a26e97b78d9c120cf735f069b3 |
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe
| MD5 | 30d04c3ac9a0a938f0742c504ad7b256 |
| SHA1 | 46966a65cb4c4e74cd949bc2615776701564b67b |
| SHA256 | 5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103 |
| SHA512 | 17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765 |
C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe
| MD5 | 3003134f2f47ee73ea52bd7690854274 |
| SHA1 | 5ef19e5392cb71a98186ca2fa3fafafc1a8fae12 |
| SHA256 | 6c51048d92d86081bd5323e2ce25734a2b5d0991585dcab95dd051b87204334b |
| SHA512 | d4ba9175b4a0e2a7b8ba377d731a0c76dadaaad254630bd62781fbf72339c8228c501e9ddad0f456b1de9beac40910f1f2a964d78064e457e6f1e88cf7864965 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll
| MD5 | 6b5253223698a88ea8393c0bb324aae8 |
| SHA1 | df156ead59e070d232aa6488c8ce1d857617aa15 |
| SHA256 | 3ef4d209c611807a27b2e01298ef2651a25b01f389ef59c60997a019bf14c575 |
| SHA512 | 595aa7805198984cbcceffc71ad45d1fb4b6651987030a78dc703f0f0d575ddb7606c69fc5aa1e563a8d679f0b56b32c436b1a299f1f5e173d23d35e8ecc0a18 |
C:\Program Files (x86)\WanNengSoftManager\wndr.cat
| MD5 | 5d61437ee311a8aedc5af1d92b520a23 |
| SHA1 | 4411b26ed712a63a6dd15d909e7c6c6d29d49400 |
| SHA256 | 7f784e9ffd1ea2e8b19ed583db8d395d643186a7f930234ee69fd71dcc208f3b |
| SHA512 | d0b1c5961e067693729546502255e91721e4a97e5413e76e9f19d73e774ff3f55ad89713f3b643c88e096958103536d600ef768e3eeca2d8a2b858b3953a8ff8 |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll
| MD5 | d468405798b4794714b55d7acb5c337f |
| SHA1 | 6131ea842c69cb2cf0b8f1b1be1558168e023fb1 |
| SHA256 | 550994432a9ebce0b266a2d7892194e89d5aab4b2b6d7dae6b102fcdcb803c84 |
| SHA512 | ca64de673d4a2f4fd63ed7347f7d9e0743c5ee5583563423429f1d19952f43cb91ee61e8b85f08731325700e92836d5d4026d79929b0e1811c25a6aa06e8ee1c |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll
| MD5 | 1b900520d1c09713f2906f4c5b9d8615 |
| SHA1 | 38f9967da362505caa4b8a02847288662752447d |
| SHA256 | d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697 |
| SHA512 | ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12 |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll
| MD5 | 8e2c5d3c053319ed8d63483d256449bc |
| SHA1 | 961dfe8155befb9947f58c84df4c4fb32623c911 |
| SHA256 | a1cdb58efe50c9824776219541ec36fc9532f0dc68e6f95321bdf4c538387637 |
| SHA512 | 18b2e3b861db93b1ea1ac090791296aa25d1d2a6584b2624b982f044fb0142c4c413e134cc244d3b3273f90150ee7a22fda1a92bdb5f1f34bf95281579a8f042 |
C:\Program Files (x86)\WanNengSoftManager\wke.dll
| MD5 | cb099b500ceb0e2c123ceef14bd7183e |
| SHA1 | 7c7538b9bade66b4561bc14183b31deec50d0021 |
| SHA256 | bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592 |
| SHA512 | f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705 |
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | c57382c6defdbeb93a01f9cfbf9ca847 |
| SHA1 | 2980a4dbffb35150c6469285a0607f74614dc91d |
| SHA256 | 15864dbea602ea534da59d356675e0aecfef7bbfec767225ecc5bcc19c7dcff2 |
| SHA512 | 19a8d689250519015ce24072c55b96cbb42d3dc5ec8c9aeb12c28211bba4298e3795c4aa09aac3f2ada79b651490b7417d41e538f37de518e81f5af613a8d9e4 |