Analysis Overview
SHA256
689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9
Threat Level: Known bad
The file 689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
UAC bypass
Modifies firewall policy service
Sality
Command and Scripting Interpreter: PowerShell
UPX packed file
Loads dropped DLL
Windows security modification
Checks whether UAC is enabled
Enumerates connected drives
Checks installed software on the system
Maps connected drives based on registry
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 00:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 00:10
Reported
2024-05-20 00:13
Platform
win7-20240215-en
Max time kernel
124s
Max time network
146s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Enumerates connected drives
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\ | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\f760db7 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe
"C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| US | 8.8.8.8:53 | ymflm.iwakaka.net | udp |
| US | 8.8.8.8:53 | dwoncdn.wtque.com | udp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 121.43.13.140:443 | dwoncdn.wtque.com | tcp |
| NL | 138.113.210.95:443 | wzhmg.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | jioge.iwakaka.net | udp |
| NL | 138.113.210.95:443 | jioge.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
Files
memory/2388-0-0x0000000000400000-0x0000000000607000-memory.dmp
memory/2388-4-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-6-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-10-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-8-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-11-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-32-0x0000000000360000-0x0000000000362000-memory.dmp
memory/2388-31-0x0000000000370000-0x0000000000371000-memory.dmp
memory/2388-12-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-33-0x0000000000360000-0x0000000000362000-memory.dmp
memory/2388-9-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-29-0x0000000000370000-0x0000000000371000-memory.dmp
memory/2388-28-0x0000000000360000-0x0000000000362000-memory.dmp
memory/1116-18-0x0000000000210000-0x0000000000212000-memory.dmp
memory/2388-7-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-5-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-3-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-34-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-35-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-36-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-37-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/2388-38-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-48-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-49-0x00000000063C0000-0x0000000006400000-memory.dmp
memory/2388-50-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-56-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-52-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-57-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-58-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-53-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-51-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-60-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-61-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-63-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2388-65-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-66-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-68-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-69-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-71-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-74-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-93-0x0000000002040000-0x00000000030FA000-memory.dmp
memory/2388-103-0x0000000000360000-0x0000000000362000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 0b4c72ce452d600c47132e1207cd45bd |
| SHA1 | a485a03275692a28d5e17741c526f94473d3456f |
| SHA256 | e5eb902962419dc80b198077e648d060634b5d9b563b3da6eaf59508db24cf61 |
| SHA512 | 7fb5ab12e4e4ad3ca3ba7435dd721f9981ab78148518a829f5c38fbcda6425b3a429d9fdab24d5449e067f20b4cb14aa9b0dfaf09c5e28839fcaa9d27ea8381b |
memory/2388-138-0x00000000063C0000-0x0000000006400000-memory.dmp
F:\dtjc.exe
| MD5 | 0567313f9c61e703e4f516391b13af2b |
| SHA1 | 900ae32de4bbbcb273f23b34a96c8456fd454c30 |
| SHA256 | c7986e9211b60e1cc52cca8d4c4f5c89a05bf0289884c7dddde2e4aef8ed48a4 |
| SHA512 | 6fb2fc90cd52ca327fad526467e0e4231f9e612ca2786367581427ac7a15f7d02dda9a7e4bf25ad599afdf50c3f831660c5e089758031f1f12c3797a7f2a047f |
C:\Users\Admin\AppData\Local\Temp\242rd939\dhjk.bce
| MD5 | ec8eda88ce80e96d2c8110e8e9e46adf |
| SHA1 | 05607645a64283d92cd34e28873494d274798719 |
| SHA256 | f8683fa3e248cc7dfd17d541dde23366d5b05112b30442aba033abd671cc2524 |
| SHA512 | 9ee23e2d5d5d5ce0e5a2d3b592cfc1bec1876dec605ccdbb7e4e5f74a9099948f9c0842a7506c9eafb9be90b12fe8b5eaa0267a51f496f8c6bc58adc9cd5e730 |
C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico
| MD5 | e1bd484966a645a7b456a67ed4a2677c |
| SHA1 | 528d589847d60b41e5faa40c6ee5e1d361df0c55 |
| SHA256 | 87868f0c311ba96d5f8069b070a8309d2a54813535ae99d852cff44a23f626f6 |
| SHA512 | 8f76bc32ab178b056a7c01608e8a0596aa1784f290837a8f0b844f097a4170d3cf9ed400f9c27de1ccdc645e012a66f086069a922ed2de9bd28cda584cf57dbc |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico
| MD5 | 9fd1679643ee825d340f58471a869fde |
| SHA1 | 2ac5b4f383d5fa10ad3fbbb30c6fe0654c8b8039 |
| SHA256 | 3c75eaa4dc66bc1cab8324f14a2f54a62a44ee050a7a6e925592921ebb48f8f5 |
| SHA512 | d1a4cb08415493f7b10a6edb45f2fe30c7e4d8cb77fe29143887edaac5bf992146df61c412016c687ef4dd9e1b181c7328c0811314e3ebec7f19798cb5e75a79 |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico
| MD5 | e7065376abcdb34c3147162172c29ea7 |
| SHA1 | 4608d48bb5476823116db94a0890f52f559eca39 |
| SHA256 | ecb25a772f8e3db7027850aa646384d37190d9233dec18a9151201b0acb20c69 |
| SHA512 | 7119480da0cc16a7609a611c984c888589c722edc9d5d213a488b11426020a92402ea06be0a375bb2912661d73caa06d4a52243b8233fdec64af1f056a8b44c2 |
\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
| MD5 | c962318702eac982494f55762d5358e5 |
| SHA1 | dfee67eec82c97614261ad826020e95b9183fa45 |
| SHA256 | bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac |
| SHA512 | 9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1 |
C:\Program Files (x86)\WanNengSoftManager\wke.dll
| MD5 | cb099b500ceb0e2c123ceef14bd7183e |
| SHA1 | 7c7538b9bade66b4561bc14183b31deec50d0021 |
| SHA256 | bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592 |
| SHA512 | f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705 |
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 96c112f54df470818245ee2440f21757 |
| SHA1 | 3cd5e3dea2e021e0a31a84cd34cc4281dd62d645 |
| SHA256 | f7dc27d8b9110af3b4a4616646e74fac6565bea8fd30ccff9cba0cd4d9cab67e |
| SHA512 | 0c610761864b6c6e39c2671aa503f3af7a584d868fa49271e7f073c48c1f73c5399c91fca7c5d167f37aea1b5d0f8c0e640a63cafd57b34e36a442d11953f80a |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll
| MD5 | 7b77180aa387e2480811c118a30dd05e |
| SHA1 | 159d07f6a313f130f046af392aaad50bab80eeb6 |
| SHA256 | 355943ed9b2bbb59ab4298b83d3a98290a42fcee87a1cd46e7c777161a09c106 |
| SHA512 | 90549e017e331761632f8b5fddecfba928401fce2a5afef5aee665f980d529666ffb36eb5bd5e9cec78b051b4d3bbfaa35f0b72b85cc706176b4a1b5422b6afb |
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe
| MD5 | 30d04c3ac9a0a938f0742c504ad7b256 |
| SHA1 | 46966a65cb4c4e74cd949bc2615776701564b67b |
| SHA256 | 5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103 |
| SHA512 | 17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765 |
C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe
| MD5 | 3003134f2f47ee73ea52bd7690854274 |
| SHA1 | 5ef19e5392cb71a98186ca2fa3fafafc1a8fae12 |
| SHA256 | 6c51048d92d86081bd5323e2ce25734a2b5d0991585dcab95dd051b87204334b |
| SHA512 | d4ba9175b4a0e2a7b8ba377d731a0c76dadaaad254630bd62781fbf72339c8228c501e9ddad0f456b1de9beac40910f1f2a964d78064e457e6f1e88cf7864965 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll
| MD5 | acd59a749f0e56a163bddc1f454f69b2 |
| SHA1 | 08f05945d666c6e19e0e8eaf0ab14d26eaa424fd |
| SHA256 | c7fce5752658147e008cbfa8b39dfdb51615ff2c0e73866483bf829c375b8ce5 |
| SHA512 | 627b027abdd502738958bbf62fdf737cf8a0930e4ac5c54e4ef5d74e6493d196b69a6b3911518d115fbcf039868e16e88ba7b1d6c01d8a993c945e99bb6ab234 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll
| MD5 | 6b5253223698a88ea8393c0bb324aae8 |
| SHA1 | df156ead59e070d232aa6488c8ce1d857617aa15 |
| SHA256 | 3ef4d209c611807a27b2e01298ef2651a25b01f389ef59c60997a019bf14c575 |
| SHA512 | 595aa7805198984cbcceffc71ad45d1fb4b6651987030a78dc703f0f0d575ddb7606c69fc5aa1e563a8d679f0b56b32c436b1a299f1f5e173d23d35e8ecc0a18 |
C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe
| MD5 | c9f30057628368706bcdc4cc1da5fc27 |
| SHA1 | 8447d2ec544b4288c0eb4f0c913cdda8e475fc31 |
| SHA256 | 64b9caf38355a451b34e8a7d012fb7e60eb4b76fd98fe82c096e0e34268d7d51 |
| SHA512 | c9135fca1f79531a5ff16c6a641dd110952f7b28958a245fc75a7ff2a8c8c271b4c2c95ba2f288909ffbfefca70c7c12f0a8ae0d763c69d5a93bc50b5ca35eb0 |
C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll
| MD5 | de11310bfdd3f2d2bf49201dd1914699 |
| SHA1 | 4625d4d3bf4ece6599fbb1abd7357438c6d76ae5 |
| SHA256 | b485275db6102a1c1fa41b8b260d35bbdb7600d6d1c32099c54b3b6750556699 |
| SHA512 | ee91e6d5953207ed69b011ed06ed1fc95fcf86d392009802a6f4d080fbe306123c30cfc7a5e64839a51c5cd018a4e147dc3b962088a3a30ba2f0880ba59b437c |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe
| MD5 | db553556e221b52c88a80b8005704737 |
| SHA1 | a76664b31a66d6f117a50224010616a335fd8e21 |
| SHA256 | 98813ebe375289f2f514fa2064c5817f9bea0e89a91f16455918b46e42d7ed43 |
| SHA512 | 4647a12b9ca93a4fd0cab4df518e5b0a66a5c5984ade09db335905cdd9da89074572ad3011c9f4a14823a08653183ba6ab4cf799ff1dd10fc13f3346f9d7d71d |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe
| MD5 | a177078edd4918268d7c2f9b0ba086a0 |
| SHA1 | c8229ded91155bfe0de7ed49fa6df988129f7064 |
| SHA256 | c7459aeab6058396ccffb3e0b7cc45fbc39b90b86ec3c50accc4a5e10ff52edf |
| SHA512 | e6f9680b897266453706cd236324551ed69ef9aa5061a5c1c5ad45acce8fb635d09174c760ce998403261e774d3bff207d73d2a26e97b78d9c120cf735f069b3 |
C:\Program Files (x86)\WanNengSoftManager\wndr.cat
| MD5 | 5d61437ee311a8aedc5af1d92b520a23 |
| SHA1 | 4411b26ed712a63a6dd15d909e7c6c6d29d49400 |
| SHA256 | 7f784e9ffd1ea2e8b19ed583db8d395d643186a7f930234ee69fd71dcc208f3b |
| SHA512 | d0b1c5961e067693729546502255e91721e4a97e5413e76e9f19d73e774ff3f55ad89713f3b643c88e096958103536d600ef768e3eeca2d8a2b858b3953a8ff8 |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll
| MD5 | d468405798b4794714b55d7acb5c337f |
| SHA1 | 6131ea842c69cb2cf0b8f1b1be1558168e023fb1 |
| SHA256 | 550994432a9ebce0b266a2d7892194e89d5aab4b2b6d7dae6b102fcdcb803c84 |
| SHA512 | ca64de673d4a2f4fd63ed7347f7d9e0743c5ee5583563423429f1d19952f43cb91ee61e8b85f08731325700e92836d5d4026d79929b0e1811c25a6aa06e8ee1c |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll
| MD5 | 1b900520d1c09713f2906f4c5b9d8615 |
| SHA1 | 38f9967da362505caa4b8a02847288662752447d |
| SHA256 | d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697 |
| SHA512 | ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12 |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll
| MD5 | 8e2c5d3c053319ed8d63483d256449bc |
| SHA1 | 961dfe8155befb9947f58c84df4c4fb32623c911 |
| SHA256 | a1cdb58efe50c9824776219541ec36fc9532f0dc68e6f95321bdf4c538387637 |
| SHA512 | 18b2e3b861db93b1ea1ac090791296aa25d1d2a6584b2624b982f044fb0142c4c413e134cc244d3b3273f90150ee7a22fda1a92bdb5f1f34bf95281579a8f042 |
C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe
| MD5 | 1a8d6b945faa865f5c189bba5df42844 |
| SHA1 | 10b7c7628a40a882de155722c2d7942734fe4901 |
| SHA256 | de8eac7f944a6c99a894b74fa4327f765cb381d4745602f3acbbcf1c3a7ff5ab |
| SHA512 | 579993711e6eba9a54f72a04f13209255e50656277dac9e0309ca77afec3acbe12ad3ccb4337afde70e2d5db7453a0ab557585e45da4699ebe03bf1d635777b6 |
C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff
| MD5 | 17758d686860dddfa39a0515829a23c6 |
| SHA1 | f9efe7b295d31b3e8c359f8e3fe2e893fd0ebfce |
| SHA256 | 241610908c9f40566296f34066195c0606b577595b84cfb282337b58e23d07e1 |
| SHA512 | 664f0a90c40d7789bef2e4866e96145d32d5dfafe329b6c62c54fe9bf367317ba5b69962454d62e4c94b9b9530df3d64d702bd54bac24ab380243ba6b6426a4b |
C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes
| MD5 | e220627df0f7912ca9abf9003e3536ac |
| SHA1 | 5dfade04a3a08d68f2937b89792c06db299eaa7e |
| SHA256 | 844a4a6d945fbce245cde1f3edb7ed3c93b36b472a3a00c347d210c4e459f921 |
| SHA512 | a69326f0ba5450f859308a9a1d44d7f021ac7209674274ddb8437ab885567f39cc4571f38b739ea731510c7755e3afd4923e28d20cbfdc162fd41c1920592c9e |
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
| MD5 | 14f78023f4a504ace87f681028eae4be |
| SHA1 | 8eb62dd9894adcd90bb080b7cb33bd9affc3c05f |
| SHA256 | 5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81 |
| SHA512 | 24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998 |
C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc
| MD5 | 2c4fdced429b803305607ed171dff5bb |
| SHA1 | 449000b216cbb472bc18b122c4fa516adb299a19 |
| SHA256 | ce792fbac3c45906e948319f9e06d2854ee6ab580220f66c562cd75358b1a894 |
| SHA512 | f499a42044774222c3221fde90b0c33617ff329b2d858e242a31f6f365c8b36a7628dca24c41d92cf2adfc36813ba5cb309f48c5ad616377b348124837784465 |
C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe
| MD5 | db101c5d26f7d92064c6d3faaba20175 |
| SHA1 | 683afd3c7512886d0f4c5987deefafb5f396b573 |
| SHA256 | f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5 |
| SHA512 | 07f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503 |
C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe
| MD5 | 7333a527dbedff3be88294d07dd9e4a1 |
| SHA1 | 6aeb844db20b0f440734bf53283e57619834db7a |
| SHA256 | 1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3 |
| SHA512 | 12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580 |
C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes
| MD5 | 6a99dce0aa4798a921799231fb98d0b7 |
| SHA1 | f986740992007f92ddb6db452a0d4ee7a3de3b3c |
| SHA256 | 64cad370d5373313a05e71efc4d719b17b4801576356e693b47e4515fb64641a |
| SHA512 | 31b684a3e72d36f6077f792257c4fd33ba79eb7a02e153b0898bfcaa64c8dac931b7ee7b371784b88b47a014fd744df2743388773444b82d25d65932b64d6eee |
C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll
| MD5 | 2ea1bb79182e0832833828cf04288fbb |
| SHA1 | 3613dfa6fd8a15ad931db368fd4928d4836143e0 |
| SHA256 | b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801 |
| SHA512 | 55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5 |
C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe
| MD5 | 4c87ae53f9687a128563aa0bdd931e3a |
| SHA1 | f08b3e12e5e3492a8b0f14e2230c0da4099f9a88 |
| SHA256 | dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5 |
| SHA512 | e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832 |
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 8169df157e5aaa7814e19e4a312a8e6e |
| SHA1 | 9250c428993ae78da6f578af6ee968d632f14b32 |
| SHA256 | d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812 |
| SHA512 | 6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1 |
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 04c0555092645beb61d0240b7973468f |
| SHA1 | 8a55dc24726594fe0f5bc159f7788eac5604dd0f |
| SHA256 | c1fb91fa8231bdaf8777fd03d5b8677b7274ee26adfe695b8ef6d7973ba5c988 |
| SHA512 | c1a63da8e140a3b5e757b9ea5074482c5edd87f8735f19c51b8af4b6c70068357d5be3853c4276f26263fa42bbd1811b836d170f988308888d65465387333e1e |
C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff
| MD5 | 39b59f56c7cdcc204ea2e2f44f0f11ba |
| SHA1 | 5a6b0fa4849b38fd75edb0b66c1e8fcd4f70b17a |
| SHA256 | 5eccd83aa0e78f466a14fa4862d273eaa1999fed6cef6f451c6d7b829ea71388 |
| SHA512 | 88b8ccfc1989cb4eb365562240a96117e2cb90601f053e803bee1c10defd17323a10e946797bd721bae6b4d8255a03f06a04266010ae838657e37c06525b85b5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 00:10
Reported
2024-05-20 00:13
Platform
win10v2004-20240508-en
Max time kernel
122s
Max time network
150s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Enumerates connected drives
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\ | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\e574873 | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe
"C:\Users\Admin\AppData\Local\Temp\689b81de6ffbe96f2de1bee4652b9e55ad68f1572a339b4467b393e4bcaba1e9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WanNengSoftManager\'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 95.210.113.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ymflm.iwakaka.net | udp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| US | 8.8.8.8:53 | dwoncdn.wtque.com | udp |
| NL | 138.113.210.95:443 | wzhmg.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 121.43.13.140:443 | dwoncdn.wtque.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | wzhmg.iwakaka.net | udp |
| NL | 138.113.210.95:80 | wzhmg.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| US | 8.8.8.8:53 | jioge.iwakaka.net | udp |
| NL | 138.113.210.95:443 | jioge.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
| CN | 106.75.78.163:443 | ymflm.iwakaka.net | tcp |
Files
memory/2748-1-0x0000000000400000-0x0000000000607000-memory.dmp
memory/2748-3-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-4-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-5-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-7-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-17-0x00000000007F0000-0x00000000007F1000-memory.dmp
memory/2748-16-0x00000000007E0000-0x00000000007E2000-memory.dmp
memory/2748-15-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-20-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-21-0x00000000007E0000-0x00000000007E2000-memory.dmp
memory/2748-19-0x00000000007E0000-0x00000000007E2000-memory.dmp
memory/2748-14-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-6-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-13-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-18-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-22-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-23-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-25-0x0000000002470000-0x0000000002471000-memory.dmp
memory/2748-26-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-24-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-28-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-27-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-38-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-39-0x0000000006370000-0x0000000006380000-memory.dmp
memory/2748-41-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-47-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-46-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-43-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-50-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-49-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-51-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-52-0x0000000010000000-0x0000000010537000-memory.dmp
memory/2748-54-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-55-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-57-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-58-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-60-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-66-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-67-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-71-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-72-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-74-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-77-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-78-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-80-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-82-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-85-0x0000000002490000-0x000000000354A000-memory.dmp
memory/2748-95-0x0000000002490000-0x000000000354A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 222551cb2e469a87c1972e5e66b2080f |
| SHA1 | b6522a05128622197dd3bcef677dd2ee2d131c93 |
| SHA256 | 0250fb5859894a3e013c3fe28e16b85fa54e88b0a6a7e9ba99f9be3cbbaaa9d4 |
| SHA512 | 6e3795f3aa9a37437b382f0f465a5751e57377d922bc837ab229d2475862bb26a5358ca8b48edc079536fceca8fcc2759947bb0310ff2a657ce268c34efd1a63 |
memory/2748-111-0x00000000007E0000-0x00000000007E2000-memory.dmp
C:\uyuvav.exe
| MD5 | ff8e2d576ca9914af0d6daf056a8203e |
| SHA1 | cf785c80117568bf4c626690f63fcc1d750e97de |
| SHA256 | 538ef69041e4cd241babc92e40bce792ca3de57f048897b9072addf6223d730e |
| SHA512 | 2135dc290e30b8dd1fee1afd5e4654b126e5e34bfb762c1e3980ab3b2a09427e5b762bd363e89c01ac8910dae350bddc53acda0a3c52852d96ff5f06c9d64af5 |
memory/2748-121-0x0000000006370000-0x0000000006380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\802rd848\dhjk.bce
| MD5 | ec8eda88ce80e96d2c8110e8e9e46adf |
| SHA1 | 05607645a64283d92cd34e28873494d274798719 |
| SHA256 | f8683fa3e248cc7dfd17d541dde23366d5b05112b30442aba033abd671cc2524 |
| SHA512 | 9ee23e2d5d5d5ce0e5a2d3b592cfc1bec1876dec605ccdbb7e4e5f74a9099948f9c0842a7506c9eafb9be90b12fe8b5eaa0267a51f496f8c6bc58adc9cd5e730 |
C:\Program Files (x86)\WanNengSoftManager\Icon\main.ico
| MD5 | e1bd484966a645a7b456a67ed4a2677c |
| SHA1 | 528d589847d60b41e5faa40c6ee5e1d361df0c55 |
| SHA256 | 87868f0c311ba96d5f8069b070a8309d2a54813535ae99d852cff44a23f626f6 |
| SHA512 | 8f76bc32ab178b056a7c01608e8a0596aa1784f290837a8f0b844f097a4170d3cf9ed400f9c27de1ccdc645e012a66f086069a922ed2de9bd28cda584cf57dbc |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\main.ico
| MD5 | e7065376abcdb34c3147162172c29ea7 |
| SHA1 | 4608d48bb5476823116db94a0890f52f559eca39 |
| SHA256 | ecb25a772f8e3db7027850aa646384d37190d9233dec18a9151201b0acb20c69 |
| SHA512 | 7119480da0cc16a7609a611c984c888589c722edc9d5d213a488b11426020a92402ea06be0a375bb2912661d73caa06d4a52243b8233fdec64af1f056a8b44c2 |
C:\Program Files (x86)\WanNengSoftManager\wngj\Icon\AllIcon\normal.ico
| MD5 | 9fd1679643ee825d340f58471a869fde |
| SHA1 | 2ac5b4f383d5fa10ad3fbbb30c6fe0654c8b8039 |
| SHA256 | 3c75eaa4dc66bc1cab8324f14a2f54a62a44ee050a7a6e925592921ebb48f8f5 |
| SHA512 | d1a4cb08415493f7b10a6edb45f2fe30c7e4d8cb77fe29143887edaac5bf992146df61c412016c687ef4dd9e1b181c7328c0811314e3ebec7f19798cb5e75a79 |
memory/2156-248-0x0000000004C90000-0x0000000004CC6000-memory.dmp
memory/2156-249-0x0000000005350000-0x0000000005978000-memory.dmp
memory/2156-250-0x0000000005990000-0x00000000059B2000-memory.dmp
memory/2156-251-0x0000000005B30000-0x0000000005B96000-memory.dmp
memory/2156-252-0x0000000005C10000-0x0000000005C76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sr2mbhbd.lll.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2156-262-0x0000000005C80000-0x0000000005FD4000-memory.dmp
memory/2156-263-0x0000000006220000-0x000000000623E000-memory.dmp
memory/2156-264-0x0000000006260000-0x00000000062AC000-memory.dmp
memory/2156-265-0x0000000007410000-0x0000000007442000-memory.dmp
memory/2156-266-0x000000006F9C0000-0x000000006FA0C000-memory.dmp
memory/2156-276-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/2156-277-0x0000000007450000-0x00000000074F3000-memory.dmp
memory/2156-278-0x0000000007B90000-0x000000000820A000-memory.dmp
memory/2156-279-0x0000000007550000-0x000000000756A000-memory.dmp
memory/2156-280-0x00000000075C0000-0x00000000075CA000-memory.dmp
memory/2156-281-0x00000000077D0000-0x0000000007866000-memory.dmp
memory/2156-282-0x0000000007750000-0x0000000007761000-memory.dmp
memory/2156-286-0x0000000007950000-0x000000000795E000-memory.dmp
memory/2156-287-0x0000000007A20000-0x0000000007A34000-memory.dmp
memory/2156-288-0x0000000007A60000-0x0000000007A7A000-memory.dmp
memory/2156-289-0x0000000007A50000-0x0000000007A58000-memory.dmp
C:\Program Files (x86)\WanNengSoftManager\WnUmanlike.exe
| MD5 | c962318702eac982494f55762d5358e5 |
| SHA1 | dfee67eec82c97614261ad826020e95b9183fa45 |
| SHA256 | bffb5df552ff14235d9c09b47e15b9755beda1f1e2957ef65475ddb6f603a1ac |
| SHA512 | 9f8a7082654fe3bec0eb92c9955776982e12dd123f67baf9457263219a4ccf7bd8b28438125690bdf07abc7132d1cd57f85a3ce6124112b9995081b358b2c4c1 |
C:\Program Files (x86)\WanNengSoftManager\Wnfghshmndf.exe
| MD5 | 3003134f2f47ee73ea52bd7690854274 |
| SHA1 | 5ef19e5392cb71a98186ca2fa3fafafc1a8fae12 |
| SHA256 | 6c51048d92d86081bd5323e2ce25734a2b5d0991585dcab95dd051b87204334b |
| SHA512 | d4ba9175b4a0e2a7b8ba377d731a0c76dadaaad254630bd62781fbf72339c8228c501e9ddad0f456b1de9beac40910f1f2a964d78064e457e6f1e88cf7864965 |
C:\Program Files (x86)\WanNengSoftManager\WnFSUpd.exe
| MD5 | 30d04c3ac9a0a938f0742c504ad7b256 |
| SHA1 | 46966a65cb4c4e74cd949bc2615776701564b67b |
| SHA256 | 5b8a6f3d529c085601d971ef44c4d6bf4bc8b05cd765a6986cb2968473374103 |
| SHA512 | 17ec81395837c365f61e43fd162ab4215dd1c2c035348205ce48d568d28894aa3b078c30040964cd1ca580e2df1aa92c5a827ccc247e5fdc880c5d8ee84a3765 |
C:\Program Files (x86)\WanNengSoftManager\WnSeve3.fes
| MD5 | e220627df0f7912ca9abf9003e3536ac |
| SHA1 | 5dfade04a3a08d68f2937b89792c06db299eaa7e |
| SHA256 | 844a4a6d945fbce245cde1f3edb7ed3c93b36b472a3a00c347d210c4e459f921 |
| SHA512 | a69326f0ba5450f859308a9a1d44d7f021ac7209674274ddb8437ab885567f39cc4571f38b739ea731510c7755e3afd4923e28d20cbfdc162fd41c1920592c9e |
C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 8169df157e5aaa7814e19e4a312a8e6e |
| SHA1 | 9250c428993ae78da6f578af6ee968d632f14b32 |
| SHA256 | d6da1cdd18fb7b2ee0ea3674e24107b944619eb9e19a8c9b5d9316b3aa197812 |
| SHA512 | 6d18b5048bd4f1d27fe6485af088bafea5bfdbe56b7cd68b5f8982e0b874601fe304b8f0f68c91a2e120c48c1267409e5bbc24a1020c7bf223fd1c6dce0f52f1 |
C:\Program Files (x86)\WanNengSoftManager\WnUninst.exe
| MD5 | 4c87ae53f9687a128563aa0bdd931e3a |
| SHA1 | f08b3e12e5e3492a8b0f14e2230c0da4099f9a88 |
| SHA256 | dd62ffa2383984ce8c009cb55cb6818afe9b343d6c8dc73f6f78210aa4d9e6f5 |
| SHA512 | e26bf9065a0d976fe3533b35c4e3193e98bec8cf46855bdfd58ce5b86106a1a8b4655c41d40dd407f2702dbaaa5d0b9c0ab7e73010fe2dd957ab5f2a010bc832 |
C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini
| MD5 | 8039c071c563590a2cb23d85966a3a8d |
| SHA1 | 73fea27243d487edbc823b223666157b02bc5624 |
| SHA256 | a7d07fb60464b4f19c67203b4fa5101ab759596963d2083822570de5c3166584 |
| SHA512 | 5cdc064bd84dc77c292cdda42508a4fe151f4e93f885aea148bb7e67cd3714044dc71ee40b75692ae66f42b8afa08d9115a650b2ff3709644f7858affddddce7 |
C:\Program Files (x86)\WanNengSoftManager\WnTen6.tff
| MD5 | 39b59f56c7cdcc204ea2e2f44f0f11ba |
| SHA1 | 5a6b0fa4849b38fd75edb0b66c1e8fcd4f70b17a |
| SHA256 | 5eccd83aa0e78f466a14fa4862d273eaa1999fed6cef6f451c6d7b829ea71388 |
| SHA512 | 88b8ccfc1989cb4eb365562240a96117e2cb90601f053e803bee1c10defd17323a10e946797bd721bae6b4d8255a03f06a04266010ae838657e37c06525b85b5 |
C:\Program Files (x86)\WanNengSoftManager\WnTen3.fes
| MD5 | 6a99dce0aa4798a921799231fb98d0b7 |
| SHA1 | f986740992007f92ddb6db452a0d4ee7a3de3b3c |
| SHA256 | 64cad370d5373313a05e71efc4d719b17b4801576356e693b47e4515fb64641a |
| SHA512 | 31b684a3e72d36f6077f792257c4fd33ba79eb7a02e153b0898bfcaa64c8dac931b7ee7b371784b88b47a014fd744df2743388773444b82d25d65932b64d6eee |
C:\Program Files (x86)\WanNengSoftManager\WnSvdarme.dll
| MD5 | 2ea1bb79182e0832833828cf04288fbb |
| SHA1 | 3613dfa6fd8a15ad931db368fd4928d4836143e0 |
| SHA256 | b3c7a548073644da7d501e663cad09feef8ff30a2b232e58e2c50b6c8ca9d801 |
| SHA512 | 55f443552a1cd1762dd5eabb35db459cc51d2bfadfa07a3a7fcaca99d437c1d077b84f660a08805af64c69bef0d0561c579c6d15e01b44b02218f8a932b813e5 |
C:\Program Files (x86)\WanNengSoftManager\WnSvceous.exe
| MD5 | 7333a527dbedff3be88294d07dd9e4a1 |
| SHA1 | 6aeb844db20b0f440734bf53283e57619834db7a |
| SHA256 | 1ee4e893e72d4475d49ac22d3290a8a7e2fb2a14cbc22eb6edd2d382b2ce20e3 |
| SHA512 | 12f60e7caecff70bf3daaf36dab9d1b9bb0b548624da62a387fda2ce57927961d1fcd0631be31b4247f4190d056f5e6d60bba8d50597714285e1632e86294580 |
C:\Program Files (x86)\WanNengSoftManager\WnSvccen.exe
| MD5 | db101c5d26f7d92064c6d3faaba20175 |
| SHA1 | 683afd3c7512886d0f4c5987deefafb5f396b573 |
| SHA256 | f5cd65baabbcc556b0beae9e6e65b71b5fd19b44f7776cfaef9b6bd09bb156f5 |
| SHA512 | 07f56957258ed8bee16577998bbf97f7d8ff799cacf865fdb47029dc008af6df632ac55e860b0f859b7525d41478f06885bda89185b67f73c79eccc30ec83503 |
C:\Program Files (x86)\WanNengSoftManager\WnSoftManager.exe
| MD5 | 14f78023f4a504ace87f681028eae4be |
| SHA1 | 8eb62dd9894adcd90bb080b7cb33bd9affc3c05f |
| SHA256 | 5a2102ff5ad0f9ed8a1c10119e90f9d2bc432595df4b7fe85b089bd14527fc81 |
| SHA512 | 24f6e3b3116c8dfd297cc766bc8e54fa6f40ce82e2d6910a195b684e9055c5922b3206a80e5f4dc7a0144e678309e21ff46b6cdc26b56eb313f514cbe52ec998 |
C:\Program Files (x86)\WanNengSoftManager\WnSeve6.tff
| MD5 | 17758d686860dddfa39a0515829a23c6 |
| SHA1 | f9efe7b295d31b3e8c359f8e3fe2e893fd0ebfce |
| SHA256 | 241610908c9f40566296f34066195c0606b577595b84cfb282337b58e23d07e1 |
| SHA512 | 664f0a90c40d7789bef2e4866e96145d32d5dfafe329b6c62c54fe9bf367317ba5b69962454d62e4c94b9b9530df3d64d702bd54bac24ab380243ba6b6426a4b |
C:\Program Files (x86)\WanNengSoftManager\WnQdX.tsc
| MD5 | 2c4fdced429b803305607ed171dff5bb |
| SHA1 | 449000b216cbb472bc18b122c4fa516adb299a19 |
| SHA256 | ce792fbac3c45906e948319f9e06d2854ee6ab580220f66c562cd75358b1a894 |
| SHA512 | f499a42044774222c3221fde90b0c33617ff329b2d858e242a31f6f365c8b36a7628dca24c41d92cf2adfc36813ba5cb309f48c5ad616377b348124837784465 |
C:\Program Files (x86)\WanNengSoftManager\WnPatemar.exe
| MD5 | 1a8d6b945faa865f5c189bba5df42844 |
| SHA1 | 10b7c7628a40a882de155722c2d7942734fe4901 |
| SHA256 | de8eac7f944a6c99a894b74fa4327f765cb381d4745602f3acbbcf1c3a7ff5ab |
| SHA512 | 579993711e6eba9a54f72a04f13209255e50656277dac9e0309ca77afec3acbe12ad3ccb4337afde70e2d5db7453a0ab557585e45da4699ebe03bf1d635777b6 |
C:\Program Files (x86)\WanNengSoftManager\WnMfgohsht.exe
| MD5 | c9f30057628368706bcdc4cc1da5fc27 |
| SHA1 | 8447d2ec544b4288c0eb4f0c913cdda8e475fc31 |
| SHA256 | 64b9caf38355a451b34e8a7d012fb7e60eb4b76fd98fe82c096e0e34268d7d51 |
| SHA512 | c9135fca1f79531a5ff16c6a641dd110952f7b28958a245fc75a7ff2a8c8c271b4c2c95ba2f288909ffbfefca70c7c12f0a8ae0d763c69d5a93bc50b5ca35eb0 |
C:\Program Files (x86)\WanNengSoftManager\WnKernel.dll
| MD5 | de11310bfdd3f2d2bf49201dd1914699 |
| SHA1 | 4625d4d3bf4ece6599fbb1abd7357438c6d76ae5 |
| SHA256 | b485275db6102a1c1fa41b8b260d35bbdb7600d6d1c32099c54b3b6750556699 |
| SHA512 | ee91e6d5953207ed69b011ed06ed1fc95fcf86d392009802a6f4d080fbe306123c30cfc7a5e64839a51c5cd018a4e147dc3b962088a3a30ba2f0880ba59b437c |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtp.exe
| MD5 | db553556e221b52c88a80b8005704737 |
| SHA1 | a76664b31a66d6f117a50224010616a335fd8e21 |
| SHA256 | 98813ebe375289f2f514fa2064c5817f9bea0e89a91f16455918b46e42d7ed43 |
| SHA512 | 4647a12b9ca93a4fd0cab4df518e5b0a66a5c5984ade09db335905cdd9da89074572ad3011c9f4a14823a08653183ba6ab4cf799ff1dd10fc13f3346f9d7d71d |
C:\Program Files (x86)\WanNengSoftManager\Wnhghshtol.exe
| MD5 | a177078edd4918268d7c2f9b0ba086a0 |
| SHA1 | c8229ded91155bfe0de7ed49fa6df988129f7064 |
| SHA256 | c7459aeab6058396ccffb3e0b7cc45fbc39b90b86ec3c50accc4a5e10ff52edf |
| SHA512 | e6f9680b897266453706cd236324551ed69ef9aa5061a5c1c5ad45acce8fb635d09174c760ce998403261e774d3bff207d73d2a26e97b78d9c120cf735f069b3 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous64.dll
| MD5 | acd59a749f0e56a163bddc1f454f69b2 |
| SHA1 | 08f05945d666c6e19e0e8eaf0ab14d26eaa424fd |
| SHA256 | c7fce5752658147e008cbfa8b39dfdb51615ff2c0e73866483bf829c375b8ce5 |
| SHA512 | 627b027abdd502738958bbf62fdf737cf8a0930e4ac5c54e4ef5d74e6493d196b69a6b3911518d115fbcf039868e16e88ba7b1d6c01d8a993c945e99bb6ab234 |
C:\Program Files (x86)\WanNengSoftManager\WnFerous.dll
| MD5 | 6b5253223698a88ea8393c0bb324aae8 |
| SHA1 | df156ead59e070d232aa6488c8ce1d857617aa15 |
| SHA256 | 3ef4d209c611807a27b2e01298ef2651a25b01f389ef59c60997a019bf14c575 |
| SHA512 | 595aa7805198984cbcceffc71ad45d1fb4b6651987030a78dc703f0f0d575ddb7606c69fc5aa1e563a8d679f0b56b32c436b1a299f1f5e173d23d35e8ecc0a18 |
C:\Program Files (x86)\WanNengSoftManager\wndr.cat
| MD5 | 5d61437ee311a8aedc5af1d92b520a23 |
| SHA1 | 4411b26ed712a63a6dd15d909e7c6c6d29d49400 |
| SHA256 | 7f784e9ffd1ea2e8b19ed583db8d395d643186a7f930234ee69fd71dcc208f3b |
| SHA512 | d0b1c5961e067693729546502255e91721e4a97e5413e76e9f19d73e774ff3f55ad89713f3b643c88e096958103536d600ef768e3eeca2d8a2b858b3953a8ff8 |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism64.dll
| MD5 | d468405798b4794714b55d7acb5c337f |
| SHA1 | 6131ea842c69cb2cf0b8f1b1be1558168e023fb1 |
| SHA256 | 550994432a9ebce0b266a2d7892194e89d5aab4b2b6d7dae6b102fcdcb803c84 |
| SHA512 | ca64de673d4a2f4fd63ed7347f7d9e0743c5ee5583563423429f1d19952f43cb91ee61e8b85f08731325700e92836d5d4026d79929b0e1811c25a6aa06e8ee1c |
C:\Program Files (x86)\WanNengSoftManager\WnCosemism.dll
| MD5 | 7b77180aa387e2480811c118a30dd05e |
| SHA1 | 159d07f6a313f130f046af392aaad50bab80eeb6 |
| SHA256 | 355943ed9b2bbb59ab4298b83d3a98290a42fcee87a1cd46e7c777161a09c106 |
| SHA512 | 90549e017e331761632f8b5fddecfba928401fce2a5afef5aee665f980d529666ffb36eb5bd5e9cec78b051b4d3bbfaa35f0b72b85cc706176b4a1b5422b6afb |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein64.dll
| MD5 | 1b900520d1c09713f2906f4c5b9d8615 |
| SHA1 | 38f9967da362505caa4b8a02847288662752447d |
| SHA256 | d8dd77d93a35ffe5d55f16497ccb3ab9cd0c4214d9b6d82ce48c9c2ab2cbb697 |
| SHA512 | ccadfd98bf7b4127ba2feb0c040b4af27c2749cc4d063ba6a3f96b10e24fdf237f98f3a9f923f3187461237bd402e7e6bd086fb1bff8847d0e49981f1f639f12 |
C:\Program Files (x86)\WanNengSoftManager\WnAcelein.dll
| MD5 | 8e2c5d3c053319ed8d63483d256449bc |
| SHA1 | 961dfe8155befb9947f58c84df4c4fb32623c911 |
| SHA256 | a1cdb58efe50c9824776219541ec36fc9532f0dc68e6f95321bdf4c538387637 |
| SHA512 | 18b2e3b861db93b1ea1ac090791296aa25d1d2a6584b2624b982f044fb0142c4c413e134cc244d3b3273f90150ee7a22fda1a92bdb5f1f34bf95281579a8f042 |
C:\Program Files (x86)\WanNengSoftManager\wke.dll
| MD5 | cb099b500ceb0e2c123ceef14bd7183e |
| SHA1 | 7c7538b9bade66b4561bc14183b31deec50d0021 |
| SHA256 | bb68484b71147c91d664bb23de320fdfdec1cdb42d64a3dd9ca74010e8d47592 |
| SHA512 | f74f5dde21c733cbaa5e13434d2a82db6baa45a22bb1c466b4a064f77af625e0672dfca81dada6c8f0cc3c2f8df995be583dce15c236782b01c90d1be7073705 |
C:\Program Files (x86)\WanNengSoftManager\WanNengSoftManager.ini
| MD5 | 78c996d1c37af3ef09b0c61a08cc2972 |
| SHA1 | b4e98c080a418ddf736758648a11c6f6c44ac0eb |
| SHA256 | 7bf8e8c3d18ee13e02bc5a8917717d0b91d1c1f4a52cfbb944b618f15e3b4f10 |
| SHA512 | 352450c33ed4796cb7649dc60e26b6a647a8f2dbed52b99600999986e37c825f113747f36ae751ca6be2adeaff948ab6f0c9dc9c04cade1f7bfa438496614635 |