Analysis Overview
SHA256
0ae4b5b1b26c249a955feb8ef12eb4269020542ece9d928949570c1e017b4a80
Threat Level: Shows suspicious behavior
The file a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Windows directory
Executes dropped EXE
Drops file in Program Files directory
Loads dropped DLL
Checks installed software on the system
Registers COM server for autorun
Enumerates physical storage devices
Modifies Control Panel
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:05
Reported
2024-06-12 14:08
Platform
win7-20240419-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WNMutualRunOne = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnCore.exe RestartRunOneProgram" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\Wn.ime | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File opened for modification | C:\Windows\system32\Wn.ime | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File created | C:\Windows\SysWOW64\Wn.ime | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnConfig.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\PYPhrases.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\wb.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.idx | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\Header.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\__.txt | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnPlugin.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnwb.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.idx | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.idx | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNTSF64.ime | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\lx.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\TTXW.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\ABC.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNCloudHelper.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn64.ime | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeBrokerPS.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil64.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\yy.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnSkinInst.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\dz.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\gbk.idx | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\___.wnpf | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.markov.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\ZiGuang.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.idx | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeBroker.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\PYPhrases.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\MS2003.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnMoniter.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.phrase.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\XiaoHe.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadNetworkName = "Network 3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\56-42-83-c4-9d-5b | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = 90a617c4d1bcda01 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionReason = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionReason = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = 90a617c4d1bcda01 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecision = "0" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecision = "0" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wncl | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\DefaultIcon | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf\ = "WanNengWBImeSkinFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\ = "WanNengWBImeDictFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\DefaultIcon | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\ = "WanNengWBImeSkinFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnSkinInst.exe\" -install %1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnSkinInst.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open\command | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe\" -install %1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wncl\ = "WanNengWBImeDictFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe"
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" InstallWuBiSpreadOperate JaffaCakes118240612
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" CheckSysMb
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe" RunAutoLoadDict
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe" /InstallIME Wn
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateStartMenu
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateWGDestTopShortCut
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" DownloadCellDictMb 2476,6904,6448,6452,6446,6447,6913,2491,4174
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe" StartService
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe" CheckInstallIme
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe" RunCloud
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" SoftExtraOperate
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe" RunAuto
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunPushMessageBySrfAuto
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" CloudHelper
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe" AutoLogin
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" UpLoadUserTypeInfo
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" QueryAppInfo
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunServerCmd
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetSrfCompWndSpreadLink
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetWindowPopData
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tjv1.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | dqxb.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | tjv3.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | tjv3.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | update.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | tjv3.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | ua_upconfig.wnwb.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | downsrf.eastday.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | theuser.wnwb.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | df.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | tjv1.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | tjv1.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
Files
\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
| MD5 | 73cf4d8b60648fa84617ac9804f48f29 |
| SHA1 | fd12af2bca8a09394b99c848c4bc507248512359 |
| SHA256 | 8154ce3a561f7a39e984d875933d8f5825c53e192b9c03f6ffab4df330a0f1f8 |
| SHA512 | 95bda0498bddbb08ba67ac03c3cebf4e8c7063525b9783d249c5882bbd788610daa545e105f028d7cad9cd253ec80fb0f4e1215a620ac8a5a903042a47a6386d |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini
| MD5 | caf10e2ed911f4e676c7de972222a9a3 |
| SHA1 | 05726d27e3dca8628aee576933b98491f553e3c8 |
| SHA256 | fbd3651c51a18dc181752864f443c166b3d521cbd23a50264dc51bb248957669 |
| SHA512 | e0c6a56f89282ff10704742966eb42ca58ecd8b909b49c8bbc8b1801d32e6baa1ac0bf74da1a9fcc6cb577d42fd67848ff673f49583ea52ae27090d98bb93925 |
C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini
| MD5 | b92aeb3cd3c5f3c0e6840b5220758a59 |
| SHA1 | 38b24727a298d5aec3ecfc42b71e51c1146a5063 |
| SHA256 | 4db5dcba3d9f597892ce8ae2619f38d0ef1a843fe19fdeca506884f33cbcaa64 |
| SHA512 | 75b2eae3a5e088fea8b44a381a27292836e5eadf9166dcf09460c7347d1ef66bda899c02143a6fcc27b9a3110c034ebe46e5628ab40b92dab9bea88a06f271e4 |
\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
| MD5 | c88cfb5d130b7f971922584976ef23f8 |
| SHA1 | 5c06fd6eb51482fbbb7d10fb93ca6d0f84402830 |
| SHA256 | 1fc17489fda6627c2105e0ce5901b4e73ee0acb8cf7344c9b26b0d9b909bf2b0 |
| SHA512 | eedb196c17f746556a50ebf619ea17d54861ae74edcd1efa623d9c95189e99124155b87e05b86810c61c55b0b0fce944658c4c7a52698771a6b435f3d20c84b6 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
| MD5 | 1c303a4d36d0f0899a4b814bfa882fd5 |
| SHA1 | 2d772b40209b01bbbc23fcb2f4963a924d0b2deb |
| SHA256 | 15fa4fd8a148f89812893256647e1d412c0e8ed480edf89004f36cd041b1ba05 |
| SHA512 | 9baad17e2e99944493bfb646b813b59bf169246cafc3ba7942434b8ab3e78c39e4892b1eaf36482ae886713b1a4b3b21978945f3d4fe0515b51fff15b512f878 |
\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
| MD5 | b0594248b7d76aa6c865d26ed0bd0c11 |
| SHA1 | 7ac533564ae5e27e37738d454d27b05e6f25e241 |
| SHA256 | 7c1ff9ce73430ebaac99835316cbcd466ec68bced186a735336937bb67024ed1 |
| SHA512 | 494d61954eb197c3e3603605ffd67b0e912716975e92a5e1c4a5362ab06d471da22bc192be4a0a233982759c81bf792dba6387dbab85d39a766807b99b71530b |
\Program Files (x86)\WanNengWBInput\9.7.0.0426\DuiLib32.dll
| MD5 | a3818800ad55631ece2c6389f58c437e |
| SHA1 | fa527223fa27279cf9ea960b86cc8df06515a006 |
| SHA256 | 06e248ca24fcedb2c4da03a0aee95b21ff396329b5dd84a84f0729f84b151f79 |
| SHA512 | 999497bc97cfb7d00b74a66b13778f013a1e37b700d8d5ca7e7698f69ac8246d47ada98d0ec7e973d1d47da403541a4e053428f6e42a2fe5ac1009d777d7f2fd |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini
| MD5 | 7b0aac4ff9dbaa7643af98c483f02ffa |
| SHA1 | 2335d99e5c8eab1fcb3b73bd43f63f28d6e451ca |
| SHA256 | e5619321150dc1f6982ebf13e2bf4ba9f8d45fe7ebf6cce847a010809e748474 |
| SHA512 | da329b10c5f934d79f195b6c0d1e00c65df799bf87881baae55ad6d2c945ada951c407a470c4865d98f39222c6fd22009200a06e05fb8aa29f82a5c9dd3e7045 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\wb.idx
| MD5 | 2ae94b7c9295ce2e4703f9fa4cfa5aed |
| SHA1 | 36a7941c8c3f6db4fdd9253d8b795133220a5af2 |
| SHA256 | 3f6f51e3f908d4e4865ded188c4fb5c820016aa81a1c58b0c9d57696c56553e0 |
| SHA512 | ac1518fd4a6727bbf4c0bbcee23a83bd72814ababa0038c966ea11d293f6788777d97e76e504edd1028f577286b5cfdece5fd375c67dc20c7fee0941cc30d929 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\PYPhrases.dat
| MD5 | 8ec0355207fbe37b7a42b4694867c679 |
| SHA1 | 16ca274096abd242a5848d930eec3548f446f561 |
| SHA256 | ca96656b5076ad0e4ea7c2f4abb9c2c83112b5f30fb2c67a4032377da2757c8a |
| SHA512 | f6f9e075ca04b99ce1a92c75567713360d4c21489801e2e0a911033a4b4002e67fe2371bee8b9243678affb8083f2ab801a64df8352b188b38435c583ceadac3 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Wn64.ime
| MD5 | 2d57bcf8a1cb08e5e34ce9d76920806e |
| SHA1 | af09022574afbde10c836dfec06c9d19fd918fb3 |
| SHA256 | 57f23bc27f1dde714edb96c867dbd7bab49bb06aaf46c6d88b412e738fb7058c |
| SHA512 | 556ae808a59ed557c72922da3194d316d6cfb03b856469ab998bae83af4eae769faadba10f0cb5c97e622adfa0d1c4e933361279d6ddc62af9bf14e7c4869c95 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 208635cdb80866db41c09ce7041ff544 |
| SHA1 | 238f88eaa2f599efd4e0d88284ef6ad44daf8e0e |
| SHA256 | f13e099b9407c4218ddd6139d9098fb4a0938e1078180ba50735158769672464 |
| SHA512 | 5cb1779cdfb4e6a79354dc487e9abc412bb006cfc9b2957199881f5059e2bcc8f274a7daa6654a344c1f12b9fa24cdb9269de0a2763aa69cf4af9a6c1af8f228 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.idx
| MD5 | dc8d2a5370364b8a7914214a593178cd |
| SHA1 | 0ee4218a416bbd753fb20f482baa8bda9efffdc4 |
| SHA256 | f3ccc5d6d199bb88a4f0383b7c0079090a90ec547b1320bc13cfb26f577c9fc3 |
| SHA512 | 4e90443b304ccee6104c8d132d9176fd55c383f8570cb3eab755c22067cc4fc37bb1fbfac960ab3430535278cf7e98dd6ecb8b2fe580807275d2e4523917d358 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\_____.wnpf
| MD5 | ce980d401119ba58791fefd113cbf26d |
| SHA1 | 780a170e4ebb440d6528828a5ba05100f56c0681 |
| SHA256 | 83b50cf01aa2548459052a8f8515784c7e2d682028919ec713b92ed19a7dd8b8 |
| SHA512 | 5b67f6e94eb4a9d9b32f5c36355d17bdf91dd5d1c134153710a147bcc2ac13a2d6f3ac987ef67563c89dd23a86bffdee3d858b0d84454b6800802af262199dca |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\____.wnpf
| MD5 | a27fa6e5270a704d1bfb65a1fbcebfd8 |
| SHA1 | 6bff0aed16f06b30acd005e215734caca8d11812 |
| SHA256 | d0a11eb04ab745790bafc34c5b0bd13d2798669e7c77017c95c31712543b218a |
| SHA512 | e1bafd08db5974868d0127c81bd7db0b6d47fa42ef0fa5924a1b28ff270ec74a5710dd37587578d1da712c4b84620043a38e6ac9113cd5868a5c18dafb3404dc |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\___.wnpf
| MD5 | 0c3ab7880f71f521a6405cad27a06e46 |
| SHA1 | eae5ad330b4a0ca346a89c6c005ed913fc8e9e07 |
| SHA256 | cf33679af59ba9649f7d838d37bd016e1ba2bf82479527a47e598460d479388b |
| SHA512 | 5e127b683d53057cc14200637c177ab612bb6e7d1e7e45bc401ad24a0d488cfd1614e9a62954f82531f5c90d58f2b32c7d072ef4e0e7112cf151d2b097d26668 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnconfig.exe
| MD5 | f3dacf5114d0a6d337cc28b1bc8aae51 |
| SHA1 | 32c8cc756717b4dda65ba30d96e52f0058d6364a |
| SHA256 | e33c9ee1d03df84b3b340a9298738091ad5dbeb06ab6c5df5fc0132715528db6 |
| SHA512 | e1d6db26c7a94adc7689adcf602e088ed76b05bb85e24a0460ff53470fcafbaac5725e126d832927faf5068ff6ea8779deed493d563e28a93a2b6d4c5a46101e |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloudhelper.dll
| MD5 | 5b4786b0e75ef5955b8f3fb97dae34a0 |
| SHA1 | 541f13c7028879533f7aed07a957c48ba49c0127 |
| SHA256 | 29a83e2487171dd42513ff28e6716e8978656c4c3d826e91a68081eb426d56ce |
| SHA512 | 177b9d475da40a6375ba4c782be670b377a005328c225cbc4990ed36dd3253108b298b5f4c160f273f5421be70a7ec2b0cce4ee50247e2621bf6bef34025256f |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloud.exe
| MD5 | f588002585b8188262ab057550980aca |
| SHA1 | 33a8a9c9c095868c5f9127f43c849906e7ec7c09 |
| SHA256 | 94801f62781ec3654ebf72ed3b589c3e8c4bb222a7f0bd508f8e17923c4b4ee4 |
| SHA512 | bd78055e5eb75dc0091f55c110582b94542d783818749473111c7c85fde1b83845a72ab57761ca4539d778c781b57a617ab0853e45fdd62b86e3d9b3b293b2fc |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnaccount32.exe
| MD5 | 050bf1429acf8bad2ef48ba135e6d286 |
| SHA1 | 72c40aebc08d13ea084bf05ec2a02beece58fafe |
| SHA256 | 4588275806e684f317028c2cc57d30028d47b69e3713a8e0d6566c818b5cc468 |
| SHA512 | 1b2085645a886006baebd6bde06962d9d4818d90f727bb7852c5737e8763d26af8a5cfb5d7defc1a2460da871c2dd8b6d03786745b236dbe8d81d2152d134f35 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\ttxw.exe
| MD5 | f67c16319f464404c57a6cdad6dab2d8 |
| SHA1 | b3de9af64f35a8688c6c1a4890b758f25085157a |
| SHA256 | c6474f9d2d4ab08350630841114956132d8b40747d91a943bc66a0bfd361a533 |
| SHA512 | 9168aa46fb17fb9b8a6e0d28cccc2f0db8481031be09c256296fc915a69fddaf55a3693c604f147c5649746f14dd636d6cc8c024989ee5d089607a2d50d35268 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziranma.ini
| MD5 | 7a187c3581532e9674af71d62acf73ce |
| SHA1 | d3154847f9e5acbf00606dabf1395d7e9af75772 |
| SHA256 | efa6b34e97f3d18407bfa227e3b6e5343ec276741a018ee001b8b5169bd5e940 |
| SHA512 | b909f964cf2e3cb473908cb5a67da51502be44a73e4f8f953fdef8f8823eaa5a4bf6d6d6d5787b7e74dd4d88d3ef0ce003e5d631c12ed25891dc1096d8fbbf0c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziguang.ini
| MD5 | 1c138777608d0267a01c1982faa95acb |
| SHA1 | 1e8eda38388b347aa55d82b23b5f4d4501dbf7fa |
| SHA256 | 237b0d9012bc598fc432091b4f4f50a87e403487d1b2c1d15e61862960c56c27 |
| SHA512 | c3e360ab5548a0e9e74e619824f36a4f8a9f805b868b5e837a4426c1150960bbccb0367c0dd5ec961bfca3a09088863f573db465a9f8bcbec3cb99509ba6a18e |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\xiaohe.ini
| MD5 | 00de27aa4722e80364e1540486872ad6 |
| SHA1 | 00abc77afe64bd94c37266f2423b810b2aebda7a |
| SHA256 | df27342537f95622e7fedd734ba668080ce22e63b98f933732cfa18358826eb4 |
| SHA512 | ec22da353106a3dfcc27a80e7facebe58cfb89a32e430cf9d7674497d6aeb3b8b0236da5704395652f192762a22934557335fe21a66a9b7dcff63e04b90debb5 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\pinyinjiajia.ini
| MD5 | fd1837ae270311d4cbb9f5abfc9fc47f |
| SHA1 | e40692501a1d7838e169973f047644995a5176c7 |
| SHA256 | 9a1084d93edc5763c75d94ed18dad9d30e534690a63d91aade6b7a8f6559e0b8 |
| SHA512 | 2d8dc4abfb31ec33334dd135a776a68f9728cb361a60825deced1d15840ff6191459474dddf9b26075b6385c383d5c6dace2a228b8389074f9ed03d3b3b90114 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ms2003.ini
| MD5 | b667d31de86e3e87a8f8d128af0bb8fb |
| SHA1 | 820f2bc0e647c6f2f8a0093a8d79e7740b6a6b16 |
| SHA256 | ff8e629547151ea43ec2261c3b80a4ad77911d8965cb126a542e2d597c5ef565 |
| SHA512 | 5db57f61511a001d0718c64f3cc1f4af4611e4ae70c2917a3c90ec2b175e6b17b3ac5330e58f0dfe415dd9983836a41f36dc2f7c096c81fb35e97f9290fff71a |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\abc.ini
| MD5 | 8c19e1f441c7ce4116c1b1c87bab2ea4 |
| SHA1 | 807c3aadadb40050e95c553241500bbc99a37c1c |
| SHA256 | a05234ed4d989c44770b03505422a4313cf0c8a34162766d7e7771c75cfddcbd |
| SHA512 | dd4b6756e3fce0cca15be2bf8cb9441866164a96e93b6c18b16c3783401934db4f39b315f1850722f8cb222fb97671d0ca9aa9feffa6fc9613b0e8abbcd5d13f |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\scrsnap.exe
| MD5 | 695ab9a7a83ee188be36a2d6396b4aef |
| SHA1 | 028dc6feb77e2498c83204d22183ccfacb88a129 |
| SHA256 | 663d1759874d27e41052ab2a3db7cc4e03bee3acb08fe49b1588169c52959a89 |
| SHA512 | 2078f83d8d5a0b0c0b3f672f318c350e55adce94b1a91aa1bdd2a58dbb0001de8733516fe9f2647b79ef77db1647a230d84fd2e7d77acb00834f37237e8349ac |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\wbphrases.dat
| MD5 | 453f5946cd5aa1fab3a621c02ba13ca0 |
| SHA1 | 774d5f7f4db5841cdd7d28f186d634a53b5e15f7 |
| SHA256 | f957609e64a1bb3d1dd193812c0895f0fae413a8807af9ac8770c5e0939b59d8 |
| SHA512 | 89d8d7487f522784a9e30639139c62d98983acb8a9167b81a25229267dfc7aa0a2f26b3a10c6800603e6c19d43ae409d91351d46e161cf8c31f29620e46d620c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\header.dat
| MD5 | b2780bfc24b6eb1716cdf6f0ce56b5db |
| SHA1 | 337a1053094106cca10aa38a0fb8699c562eb03e |
| SHA256 | 7aed87f85e9da10c4fdc2eddcf28791358aefcf4adf0390b8076bf7c87b6c7b6 |
| SHA512 | 5fa23a001fc02901f5b94ccee007a7bf9d8a6127471b92a979b309672297ada367525a1859efe9a854e72227c0cdc74b715fb471102cbafce4aa447a04784a0c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\config.ini
| MD5 | 578fb92f60250da9d6247e50a8c13e1a |
| SHA1 | f10beb7310a8b933bb8b9450a2ae5d6dbbb1f906 |
| SHA256 | e6dd000af22df8f82e856035883dac2468d260f54ea2ebf450cec996b75d7be2 |
| SHA512 | 99c46badb824a04a3598e7ab85be06e828a860b817ea1a1edc256f7d03778fe48d0e82b61cb3ad1d22431cbeeac578bc6fa9ff5b267d4e84d479e20ddf22a252 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.dat
| MD5 | 66194e6414f9142db59bd19cbfe3f891 |
| SHA1 | 3cc8bb6d7fc70c54a429e156a2f829978fa00941 |
| SHA256 | c8377cd117f9279fdf983660525ae57f5241081ca078ad3b72735c79427a44a5 |
| SHA512 | d7f5b925b358037f568fcb9e78a20faa21125f0a13f6f07bf1e0599bb3e85041ef7a5520bab3cbf6d8878649a755802608d035a40652130b4e14bcc5fb1416ea |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat
| MD5 | e3ec7d071cf338406e2ae25ae1de837c |
| SHA1 | d291f28dbc3c5c4073190f9d4b59e192bdd5bc00 |
| SHA256 | 70aecbd98b655a83b1a1cff8b99e15989a4befcff22940a31e78f0cd6ae002b5 |
| SHA512 | 1a2d07151c03797e2969f4f559df4c814684ebcab4b837ec7ab4b6e881db6f9220b4322799ec86b3c9cebee1fe447e69fdcea3ba5e560ff6b182a517de71c7a7 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.phrase.dat
| MD5 | 107912ba37911fe82eb4988cd20e36a3 |
| SHA1 | 9f91e1f78ad1e5ac9b1755feb12a560a05ec8b13 |
| SHA256 | 37de573fd8f348b04edaf11bfa41dc89dcdd73b87807abbad3579a202de3c28e |
| SHA512 | 242413a4f8b965a6ff01ca046c06046168a61e2df022dd0916b52e22a39e67d591ea464224b6247a23ae7e362d224185fb9cd0fb5c42e55eec1bf7ed2554e375 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.markov.dat
| MD5 | 199b1e07b487dbb76705972fc87b0475 |
| SHA1 | 722623c68bda6956f49cc77ea53b53adc1489a81 |
| SHA256 | 49007b2ec759e15198d01d908d10ffb782f037673ba9267a459737c93583000a |
| SHA512 | 46accadbd0f089cc3caeb8678972201f3012905f101d3691e7cc695f679c2aa343b842131bb655aa92a980146720ea0678d24120c50bf51662f8365ed919202d |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.dict.dat
| MD5 | 4f37c718863b2ebfae4a1dfc468d5b3e |
| SHA1 | aea4952b9c7aa7ac82a8fac1ab146104527cd9ba |
| SHA256 | e08399c01d272ab9002c8cfc248eeddd741dd30f2cd99f9c58b046b8d852e2f7 |
| SHA512 | b00f0545b382af35c6372070ba6c79ea3df5bf6dfc04012d2838fe6692da6cb85ca2dcbc7fc6f5541bde8ce3d1b9917de9b8dfcb3384b9b4bc463b9719596cbc |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\lx.dat
| MD5 | a2e1316bfb1b91f41608b3eff971f14c |
| SHA1 | fa610407b7e00af14e524fe850b1f1da33bc0bd1 |
| SHA256 | 4537e4b2f190b234bb585a4dcc7e4bef802d128fd2272f84fcfaee29011b30d0 |
| SHA512 | aedd29442c93904ac8b057eb7c37611bca7c47737e626000cb509bc761d95799d120844d1f896db777927062b1de02a3e3e9e67b84ea3de9c0a9f09c3426827d |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.idx
| MD5 | 9345156077f965a5b9becb2f666fcd4d |
| SHA1 | a2942102b142a255d4d752b7a0ac352f135f1e73 |
| SHA256 | e56f4ca0ee34027332842baa54269229a683a0ca38016d44a62251188ca0a7b7 |
| SHA512 | 379b73ecbcc136a558b7aed7671bf1089ad6f1ac0db012bfa35e752e62e812ab54c55b4301dba285d207b6d726b1a4183027b1c99f82898ebe003ede6b49804c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat
| MD5 | 5cd6826ccc90628e18e0c748c1ddb228 |
| SHA1 | 853b56b15832b3fa71adc94346b23a3ed57124f8 |
| SHA256 | 49124db852ebfe68eb87159e96edb2fb65c61da3b611c8395b4443a2f33fa82f |
| SHA512 | 11615b74fccf2cf4e0586660acfba55be7a51f83a2eb3c1889a77475197de8f338f13972036ca8ebdc1867f9990edef8525b8f3b7d4eb85bc1fa2604eb0979b7 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\dz.dat
| MD5 | cbb821b7649b301473d6ddc1f205347c |
| SHA1 | 222bceceb822ca01ba97f8340887679b49dec14e |
| SHA256 | 2c7048a15f2c9b9ee4b222ff59e3e70c11a5c3d5a7dc1c71a6ea568c773964ee |
| SHA512 | c1fffe2c3904c731bf825c8cec84189c1eb5d2aa3c2b541dde0a2ac61c7d16055f22374cbe608015f71343b2e437b2366105fff26f0571bccf8135c02b2aef42 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx
| MD5 | 5960cc64e17b3e24c2eab1b437acfbf1 |
| SHA1 | 873d156d75beccb63e8f28fa113746cdd5e580d5 |
| SHA256 | 7c2259f62ad84ea005cc1af6d6cfaa18808e1c8bc31a4e01727f63eb63d76f39 |
| SHA512 | bbc0a748ddbd457d1c36d7e170b1c75370d0060a35f0f9697f14d43fe8ebd73320984cbc4b73c9b0a6b4a7d8ad51f1bdc71b5e223d859f6e46249f660b6b7cf3 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.dat
| MD5 | daff0d8a8977274af7c8408d1573642e |
| SHA1 | d9bc49151004c7be355f40d9f62d23944dfa5166 |
| SHA256 | 38a35820e2bfcd02e3da4a3e05b8c9bfff50b5d3e26ff7115dc0cfdbd0cb1b10 |
| SHA512 | 2a9a209a35c794a94c07a3a030a14d0595f7fb6a107c864f712c58746485684b80da29efa9e07cc68b9cb4fa33e28972be0120360e39930e190c448946a4a25d |
C:\Program Files (x86)\WanNengWBInput\__.txt
| MD5 | 1521294de4b25e37c39cc0756c90b9a3 |
| SHA1 | 1f7e6f4430d20ac7e12df089c46c6718c78aa1fc |
| SHA256 | 80eabe7b9d206602187e07cce75191757787a1582045f289d3ed0e054a7de47e |
| SHA512 | 066d6ac39f02d7793003d5a7b6fd3340e4c594638c08a6da3b05f9680df63df82415f57afae9eba920431c6bf673d046d88648b5dfdbfedd55b8352b8dd859c8 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Wn32.ime
| MD5 | 86199a4308a9a5eb30f3760c7e045ce5 |
| SHA1 | e9c92f98467eaa9c30627fb64929dc77cf2d448b |
| SHA256 | 4e1243534e1bd888f1cd893c6a3551b1342cc063e2f8f15608d9b52d48a80157 |
| SHA512 | 727bf17cf5d2fb5010f3f713b336bbc8d1fe545eab7202553771ccc3816c364c15b198d5c1df0db0240284848ba76d35725ba74fa710e2d4323d0feab0e15957 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini
| MD5 | bbe122341326acd70c1013d812813639 |
| SHA1 | 2b758e1b8fbdfa578358968aed5676fb9d6a3dcd |
| SHA256 | ab81794ed0775fc8b3bf0789df3af606f92e1be47c19963e5ec1473261e2821d |
| SHA512 | 39d74d6ffa84545eb2abcaf52da906991fed56a5603131ba659a8a0cfd77e1c664f88ca9f756c4aa6b73c1a5bdd54b06f015e9dee24c0657d8baa01938ea63ae |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini
| MD5 | 2da784ee50e7e8f867e15b6f4a4ec136 |
| SHA1 | 058c25deaecf5a7769e9117c8c7ba02d64af637c |
| SHA256 | 780596e1bb7ec55695f9aa585df6d94b89f002c11cd6e0cb5c8b260d95853e36 |
| SHA512 | afd4a42f1c5f62c75c4b4abf7b70620bb66c2feacd2760c0cdf7bec2312772d1e97aa83f8c2e46de7432916c1ef2bc84f2ff19322b486db05ae617cb8d63c988 |
memory/2224-581-0x0000000002510000-0x00000000025AB000-memory.dmp
memory/2544-596-0x00000000030A0000-0x000000000313B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 19520b55d7c322e1f0ff242c18fcf224 |
| SHA1 | 650610527a3bfe5488ec72bfa0cbc6b25a39010f |
| SHA256 | f7a31ed18284578931fc744a1da01834c440d1518a1b43aee4dc67b198785843 |
| SHA512 | 2c434d8fe834a9047ee36093349c9332e9aa5911bbd81edc140662c3810f61fb81d7aab448d6187f39c77bc117c422b674b700d524e3a51695b0931d4c1141d5 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini
| MD5 | 10b382595fda635418d30880be8fbe2b |
| SHA1 | 8af1cf248e9aadfc5e69941810d08fb7800c6053 |
| SHA256 | 08d48d152750069ce636eee0e5f8ec84bacb5606f1f42df67545800ff4d62332 |
| SHA512 | ee9f8a220ba18f95ec1b26bb3d34ee797910c8c6c56222c4c7bf27b28633ae406fb39be415f2807d5de670c0b5ec6fd635f477a48d58c3a1f2f08d23d5e78258 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 07d81df64fa9372dd2bd8d5613fd2b48 |
| SHA1 | 105333d0c2d3480a18ad274b37b65b81c16a0317 |
| SHA256 | 8f537182d0bed2b946f8967b91bfc4dd6d2c4bd47f1037835a5aace466eb1a8a |
| SHA512 | 3b1c1a1c5993f26450fa7618dff89cab8a7024f13820eee5525954d3012f8be1a93f7d89db66e7b7385b1aa56f464bff596bd4ac06a349fd588a47193538213c |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | a5ff31a9f3070fbdd183dc55e0372751 |
| SHA1 | 46d2248b16c75ba3b7ef9dbb77a4316cfae1a3a6 |
| SHA256 | 1110b773f3884b7d3ee505433ea76fd1a7a72d691d7e69e8b2bec72f3eeb7738 |
| SHA512 | 65d91490757741dfa16dccf769ad86995f0b7bcff4e45044e207201b73db31efc2ea8e10d94917261366344fe211b909dbb2f3aa4d37685c94ce6d67369a074a |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 8075c79a98325ea3ba7adf29d0b3024c |
| SHA1 | aa7839b1b39b811061266de7236cd539da962c59 |
| SHA256 | bd3d1e831b9c03d229accb56f87611fadae500ac8b8d2c12758790d8b22a138b |
| SHA512 | 6edf1bb96d5080866aac862adc6510b60ef7ec00da5964dc9acd6537293ad3288d0daa1852edf63dbbd18a431db3da792da4c1ef69260979ac546f24dac01619 |
memory/1500-650-0x0000000002610000-0x00000000026AB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 0a1551508e43c31bf63c94e832c13aac |
| SHA1 | ee342c37a05b5709390160f47435df4b2c8224fa |
| SHA256 | 211e3ebb4b50fbcb4c37b0b12ab7b1ab251aba88ef9cfcf248354d90ee65c4e6 |
| SHA512 | 58db1d49ae9d2d11ce9781d25cf0c6b9e8bdbc67408f525424f05e6fee8d0ff728237c2ef2fbf72865dc8ae8e9c29d806fd14a89bda26e49e6b72a757c083fd2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 14:05
Reported
2024-06-12 14:08
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WNMutualRunOne = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnCore.exe RestartRunOneProgram" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| File opened for modification | C:\Windows\system32\wnTSF.ime | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File created | C:\Windows\SysWOW64\wnTSF.ime | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File created | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBrokerPS.dll | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| File created | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Windows\system32\wnTSF.ime | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\gbk.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.markov.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil64.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\lx.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.dict.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\_____.wnpf | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.markov.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Config.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\Header.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\MS2003.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNTSF32.ime | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\yy.idx | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\PYPhrases.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn64.ime | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnSkinInst.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\WBPhrases.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnPlugin.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount32.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\__.txt | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\PinyinJiaJia.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\TTXW.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil64.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\XiaoHe.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\wb.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNCloudHelper.dll | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\dz.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\gbk.idx | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\PYPhrases.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnConfig.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.idx | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeBroker.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\yy.dat | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe | N/A |
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ = "C:\\Windows\\system32\\wnTSF.ime" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowAutoCorrection = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\PreviousPreferredUILanguages = 65006e002d005500530000000000 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\PreferredUILanguagesPending = 65006e002d005500530000000000 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowShiftLock = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\zh-Hans-CN\0804:{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}{1E552381-07D8-4DB8-B086-65EF69BC9965} = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\en-US | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\zh-Hans-CN | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\Languages = 65006e002d005500530000007a0068002d00480061006e0073002d0043004e0000000000 | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowTextPrediction = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowCasing = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.2" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\IME\\WanNengWB" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\ = "WanNengWBImeDictFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WnImeBroker.EXE\AppID = "{9FD1F6B6-A56D-4BCB-87E2-D03AC70661FC}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\0\win32 | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\IME\\WanNengWB\\WnImeBroker.exe" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf\ = "WanNengWBImeSkinFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\AppId = "{b0316d0c-da2f-40e0-9f91-f600caf042dc}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\LocalServer32 | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe\" -install %1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\Version | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\Programmable | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ = "C:\\Windows\\system32\\wnTSF.ime" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ = "C:\\Windows\\SysWow64\\wnTSF.ime" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\ = "WanNengWBImeSkinFile" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib\ = "{60425206-4BDF-46B4-B048-C464D779C333}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\ = "ImeCmdBroker Class" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\TypeLib\ = "{60425206-4BDF-46B4-B048-C464D779C333}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WnImeBroker.EXE | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\Version\ = "1.0" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4} | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32 | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "IImeCmdBroker" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib\ = "{60425206-4BDF-46B4-B048-C464D779C333}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnSkinInst.exe\" -install %1" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4} | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "IImeCmdBroker" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\DefaultIcon | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1} | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\LocalServer32\ServerExecutable = "C:\\Windows\\SysWOW64\\IME\\WanNengWB\\WnImeBroker.exe" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\InProcServer32\ = "C:\\Windows\\SysWow64\\IME\\WanNengWB\\WnImeBrokerPS.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\NumMethods\ = "10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe" | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32\ = "{33723E1E-1F24-4CF8-9A99-458D099657B4}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\0 | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\HELPDIR | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "IImeCmdBroker" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\LocalServer32\ = "\"C:\\Windows\\SysWOW64\\IME\\WanNengWB\\WnImeBroker.exe\"" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\FLAGS | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\ = "ImeBrokerLib" | C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe"
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" InstallWuBiSpreadOperate JaffaCakes118240612
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" CheckSysMb
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe" RunAutoLoadDict
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe" /InstallIME Wn
C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe
"C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe" /RegServer
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\wnTSF.ime
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32" /s "C:\Windows\SysWOW64\IME\WanNengWB\WnImeBrokerPS.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s C:\Windows\SysWOW64\wnTSF.ime
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateStartMenu
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateWGDestTopShortCut
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" DownloadCellDictMb 2476,6904,6448,6452,6446,6447,6913,2491,4174
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe" StartService
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe" CheckInstallIme
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe" RunCloud
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" CloudHelper
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" SoftExtraOperate
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunPushMessageBySrfAuto
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe" RunAuto
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe" AutoLogin
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" UpLoadUserTypeInfo
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" QueryAppInfo
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunServerCmd
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetSrfCompWndSpreadLink
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetWindowPopData
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tjv1.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | config.wn51.com | udp |
| US | 8.8.8.8:53 | dqxb.wn51.com | udp |
| US | 8.8.8.8:53 | theuser.wnwb.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
| US | 8.8.8.8:53 | downcell.wn51.com | udp |
Files
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
| MD5 | 73cf4d8b60648fa84617ac9804f48f29 |
| SHA1 | fd12af2bca8a09394b99c848c4bc507248512359 |
| SHA256 | 8154ce3a561f7a39e984d875933d8f5825c53e192b9c03f6ffab4df330a0f1f8 |
| SHA512 | 95bda0498bddbb08ba67ac03c3cebf4e8c7063525b9783d249c5882bbd788610daa545e105f028d7cad9cd253ec80fb0f4e1215a620ac8a5a903042a47a6386d |
C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini
| MD5 | b92aeb3cd3c5f3c0e6840b5220758a59 |
| SHA1 | 38b24727a298d5aec3ecfc42b71e51c1146a5063 |
| SHA256 | 4db5dcba3d9f597892ce8ae2619f38d0ef1a843fe19fdeca506884f33cbcaa64 |
| SHA512 | 75b2eae3a5e088fea8b44a381a27292836e5eadf9166dcf09460c7347d1ef66bda899c02143a6fcc27b9a3110c034ebe46e5628ab40b92dab9bea88a06f271e4 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini
| MD5 | caf10e2ed911f4e676c7de972222a9a3 |
| SHA1 | 05726d27e3dca8628aee576933b98491f553e3c8 |
| SHA256 | fbd3651c51a18dc181752864f443c166b3d521cbd23a50264dc51bb248957669 |
| SHA512 | e0c6a56f89282ff10704742966eb42ca58ecd8b909b49c8bbc8b1801d32e6baa1ac0bf74da1a9fcc6cb577d42fd67848ff673f49583ea52ae27090d98bb93925 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
| MD5 | c88cfb5d130b7f971922584976ef23f8 |
| SHA1 | 5c06fd6eb51482fbbb7d10fb93ca6d0f84402830 |
| SHA256 | 1fc17489fda6627c2105e0ce5901b4e73ee0acb8cf7344c9b26b0d9b909bf2b0 |
| SHA512 | eedb196c17f746556a50ebf619ea17d54861ae74edcd1efa623d9c95189e99124155b87e05b86810c61c55b0b0fce944658c4c7a52698771a6b435f3d20c84b6 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\DuiLib32.dll
| MD5 | a3818800ad55631ece2c6389f58c437e |
| SHA1 | fa527223fa27279cf9ea960b86cc8df06515a006 |
| SHA256 | 06e248ca24fcedb2c4da03a0aee95b21ff396329b5dd84a84f0729f84b151f79 |
| SHA512 | 999497bc97cfb7d00b74a66b13778f013a1e37b700d8d5ca7e7698f69ac8246d47ada98d0ec7e973d1d47da403541a4e053428f6e42a2fe5ac1009d777d7f2fd |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
| MD5 | 1c303a4d36d0f0899a4b814bfa882fd5 |
| SHA1 | 2d772b40209b01bbbc23fcb2f4963a924d0b2deb |
| SHA256 | 15fa4fd8a148f89812893256647e1d412c0e8ed480edf89004f36cd041b1ba05 |
| SHA512 | 9baad17e2e99944493bfb646b813b59bf169246cafc3ba7942434b8ab3e78c39e4892b1eaf36482ae886713b1a4b3b21978945f3d4fe0515b51fff15b512f878 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\skin\___.wnpf
| MD5 | 0c3ab7880f71f521a6405cad27a06e46 |
| SHA1 | eae5ad330b4a0ca346a89c6c005ed913fc8e9e07 |
| SHA256 | cf33679af59ba9649f7d838d37bd016e1ba2bf82479527a47e598460d479388b |
| SHA512 | 5e127b683d53057cc14200637c177ab612bb6e7d1e7e45bc401ad24a0d488cfd1614e9a62954f82531f5c90d58f2b32c7d072ef4e0e7112cf151d2b097d26668 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.phrase.dat
| MD5 | 107912ba37911fe82eb4988cd20e36a3 |
| SHA1 | 9f91e1f78ad1e5ac9b1755feb12a560a05ec8b13 |
| SHA256 | 37de573fd8f348b04edaf11bfa41dc89dcdd73b87807abbad3579a202de3c28e |
| SHA512 | 242413a4f8b965a6ff01ca046c06046168a61e2df022dd0916b52e22a39e67d591ea464224b6247a23ae7e362d224185fb9cd0fb5c42e55eec1bf7ed2554e375 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.markov.dat
| MD5 | 199b1e07b487dbb76705972fc87b0475 |
| SHA1 | 722623c68bda6956f49cc77ea53b53adc1489a81 |
| SHA256 | 49007b2ec759e15198d01d908d10ffb782f037673ba9267a459737c93583000a |
| SHA512 | 46accadbd0f089cc3caeb8678972201f3012905f101d3691e7cc695f679c2aa343b842131bb655aa92a980146720ea0678d24120c50bf51662f8365ed919202d |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini
| MD5 | bbe122341326acd70c1013d812813639 |
| SHA1 | 2b758e1b8fbdfa578358968aed5676fb9d6a3dcd |
| SHA256 | ab81794ed0775fc8b3bf0789df3af606f92e1be47c19963e5ec1473261e2821d |
| SHA512 | 39d74d6ffa84545eb2abcaf52da906991fed56a5603131ba659a8a0cfd77e1c664f88ca9f756c4aa6b73c1a5bdd54b06f015e9dee24c0657d8baa01938ea63ae |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini
| MD5 | 578fb92f60250da9d6247e50a8c13e1a |
| SHA1 | f10beb7310a8b933bb8b9450a2ae5d6dbbb1f906 |
| SHA256 | e6dd000af22df8f82e856035883dac2468d260f54ea2ebf450cec996b75d7be2 |
| SHA512 | 99c46badb824a04a3598e7ab85be06e828a860b817ea1a1edc256f7d03778fe48d0e82b61cb3ad1d22431cbeeac578bc6fa9ff5b267d4e84d479e20ddf22a252 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wntool.exe
| MD5 | 480c58af1e0cfb27d3656d2df3e0a295 |
| SHA1 | e7c09623c6b94895a3b8c856ae464f8e8549dcf3 |
| SHA256 | 29efb4d04b0caeec3013e6c3b8e6331276e09dba483f2fc3795fd967a87ca7e0 |
| SHA512 | bf9287282ab73fd6cf668609466c761ae82a6e526780a9c21d9fd8fa431cabbf96c48dd79a7d40604ba8af2758fda2df7b03f17f3331064e3ed4a35e62cba702 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\_____.wnpf
| MD5 | ce980d401119ba58791fefd113cbf26d |
| SHA1 | 780a170e4ebb440d6528828a5ba05100f56c0681 |
| SHA256 | 83b50cf01aa2548459052a8f8515784c7e2d682028919ec713b92ed19a7dd8b8 |
| SHA512 | 5b67f6e94eb4a9d9b32f5c36355d17bdf91dd5d1c134153710a147bcc2ac13a2d6f3ac987ef67563c89dd23a86bffdee3d858b0d84454b6800802af262199dca |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\____.wnpf
| MD5 | a27fa6e5270a704d1bfb65a1fbcebfd8 |
| SHA1 | 6bff0aed16f06b30acd005e215734caca8d11812 |
| SHA256 | d0a11eb04ab745790bafc34c5b0bd13d2798669e7c77017c95c31712543b218a |
| SHA512 | e1bafd08db5974868d0127c81bd7db0b6d47fa42ef0fa5924a1b28ff270ec74a5710dd37587578d1da712c4b84620043a38e6ac9113cd5868a5c18dafb3404dc |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wntsf64.ime
| MD5 | f42a7c49162d6912717f5b6863507824 |
| SHA1 | 5ab2dfaa604638c45df3ea73e6bc0e1b1cb0144f |
| SHA256 | f6dc925d2f9dc97b770b0aa0a94b2df3e4899bab521e33ae05380767f9c83c1f |
| SHA512 | 8e1819e0593a6fe5bb9038da663132965faff06d76c6cdea8a7ac39817a13311658c3aec51429379d0d4b5cb57ce0dfa2b225c815fa201c25e88c2743af8d3d4 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wntsf32.ime
| MD5 | 233b75d2c4b7422bd98abe02a52ff8d1 |
| SHA1 | 3ebd73d00145fe84066ec72864890ef57bbccace |
| SHA256 | ffd7c4bbe8cee220a2245505e3c75ceadc3123234a03cad7abaae9a085d59922 |
| SHA512 | 8ac9c52975387f0753881c1c4f054b702432efbee638db74babb11e02e566f7f80ba7af00d069c36dd2f1323756ca4a1ad59f9f401627dc02def97cbb89f16ed |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnskininst.exe
| MD5 | 8fb0a302bb860721c5e8c141d09a95f6 |
| SHA1 | 1e44df5c843b5a6f71725cf3122897f7970f890f |
| SHA256 | eef95a33af3b4f7b50d2ec9ea38d2f3335101bedd6fad8b3effc3dd922d8f158 |
| SHA512 | 95b2e4af069098da7c5ca42080b0edffda81bbc1090bf4372fa4dfded38b1d9fbed280a355ed00cc51d67ac7f7e21828531a1026f69fe1f89614a50ad1f0c75d |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnplugin.dll
| MD5 | 40eff807d49b454e5b784edbd6bcc01f |
| SHA1 | 06a9d1329893b7325b63ac64e0371be5120853cb |
| SHA256 | 2b6aec450e6a0af3e3783b809e9a188ffda9f3c5d3fdfdf164a27cde87919812 |
| SHA512 | 6c0edcc855fb6cf9a06ab614f39cc22fa93e6cf2347ad2b0269b7a92d73b05f63e15ed7ce7e741f008fd641ad83c604611a2250503c747ef081333907abb4b58 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnmoniter.exe
| MD5 | 96017410e59ac6443483ccd57d0fae59 |
| SHA1 | 501d43b23914bc0c5ee8661ceaf3d478a01f7f27 |
| SHA256 | 817f7bee95c979eeeba66db278de176ad6ddf956a1f0a9673f3c352b58fab632 |
| SHA512 | 944d32e02149b8e6ee09312cd083cc99ec6050b1c023112a071fe167a8a7aab0e174874d01fc95a06f7246b0a8f01f2613ee33133c9591cfbfe52aa98d407368 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnimemanager.exe
| MD5 | f4d23b1771b3cd5be5cab620c24511f9 |
| SHA1 | 228c6423fabce9a26f7003d467cdff3c9a5d9a6a |
| SHA256 | 8a06a757252acc8b1c00f683e1b407c42c88d6fa6b461e6cea9f0c83b84149eb |
| SHA512 | bd6ebca5594d049ce59fbc2492f0d6ed590be6faff88b98d26253940c81b40aaf35308583eeffe0d53d06c5226a78b95eba65a59f7cf99e2aff6e7ab2ee84d42 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnimebrokerps.dll
| MD5 | 0232413a17e471173e7d231cb322273a |
| SHA1 | e136a6ed16e6fd2eef7ad5d22160f9006650cd32 |
| SHA256 | 47eed5f74acfbea2bf8701b49578861837ac636aa6159e9869300ae3ed7dc870 |
| SHA512 | f6e821313d0e441d83729217753f445f1804567f1b5821dcbda58437e1942f589a0e503f50a5750c091bb5933771bb7e45d4fc322378d7c9ca4fa2150e0198cf |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnimebroker.exe
| MD5 | 280f8d976b22992b36c219de94307252 |
| SHA1 | 8978000f81b5ac7dd79f44777307002256379719 |
| SHA256 | 98c7b8891031a197fe16e825ab21eef23ca0392be86cea81de023e6cc79c85dd |
| SHA512 | 4955e3b22ae43ad074d3d1d09401ad34789100abda67f6368959f26ef88fbdcbc0590ffaf1ffa9ac444edbfe98da428b3fcaba81cc46f2f97e7cb5cb71324736 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wndictinst.exe
| MD5 | da14701821d3e3f03d6a27a9e053247f |
| SHA1 | f8744827e53d2185f49462f18f409617fc2a4ee6 |
| SHA256 | 1c347163f11f810019da3fea628eb052bdc7411c631d8d5bdbf20f526fbea658 |
| SHA512 | 77eeaa8448dbde58f7d91e63c902e1d2098e2ea30a0d37b322dc5800e525779efaee722f50fe8a5bf72dd1a52f78a3591d60ce45d70e68fb5fb724503e5f9d27 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnconfig.exe
| MD5 | f3dacf5114d0a6d337cc28b1bc8aae51 |
| SHA1 | 32c8cc756717b4dda65ba30d96e52f0058d6364a |
| SHA256 | e33c9ee1d03df84b3b340a9298738091ad5dbeb06ab6c5df5fc0132715528db6 |
| SHA512 | e1d6db26c7a94adc7689adcf602e088ed76b05bb85e24a0460ff53470fcafbaac5725e126d832927faf5068ff6ea8779deed493d563e28a93a2b6d4c5a46101e |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloudhelper.dll
| MD5 | 5b4786b0e75ef5955b8f3fb97dae34a0 |
| SHA1 | 541f13c7028879533f7aed07a957c48ba49c0127 |
| SHA256 | 29a83e2487171dd42513ff28e6716e8978656c4c3d826e91a68081eb426d56ce |
| SHA512 | 177b9d475da40a6375ba4c782be670b377a005328c225cbc4990ed36dd3253108b298b5f4c160f273f5421be70a7ec2b0cce4ee50247e2621bf6bef34025256f |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloud.exe
| MD5 | f588002585b8188262ab057550980aca |
| SHA1 | 33a8a9c9c095868c5f9127f43c849906e7ec7c09 |
| SHA256 | 94801f62781ec3654ebf72ed3b589c3e8c4bb222a7f0bd508f8e17923c4b4ee4 |
| SHA512 | bd78055e5eb75dc0091f55c110582b94542d783818749473111c7c85fde1b83845a72ab57761ca4539d778c781b57a617ab0853e45fdd62b86e3d9b3b293b2fc |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnaccount32.exe
| MD5 | 050bf1429acf8bad2ef48ba135e6d286 |
| SHA1 | 72c40aebc08d13ea084bf05ec2a02beece58fafe |
| SHA256 | 4588275806e684f317028c2cc57d30028d47b69e3713a8e0d6566c818b5cc468 |
| SHA512 | 1b2085645a886006baebd6bde06962d9d4818d90f727bb7852c5737e8763d26af8a5cfb5d7defc1a2460da871c2dd8b6d03786745b236dbe8d81d2152d134f35 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn64.ime
| MD5 | 2d57bcf8a1cb08e5e34ce9d76920806e |
| SHA1 | af09022574afbde10c836dfec06c9d19fd918fb3 |
| SHA256 | 57f23bc27f1dde714edb96c867dbd7bab49bb06aaf46c6d88b412e738fb7058c |
| SHA512 | 556ae808a59ed557c72922da3194d316d6cfb03b856469ab998bae83af4eae769faadba10f0cb5c97e622adfa0d1c4e933361279d6ddc62af9bf14e7c4869c95 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn32.ime
| MD5 | 86199a4308a9a5eb30f3760c7e045ce5 |
| SHA1 | e9c92f98467eaa9c30627fb64929dc77cf2d448b |
| SHA256 | 4e1243534e1bd888f1cd893c6a3551b1342cc063e2f8f15608d9b52d48a80157 |
| SHA512 | 727bf17cf5d2fb5010f3f713b336bbc8d1fe545eab7202553771ccc3816c364c15b198d5c1df0db0240284848ba76d35725ba74fa710e2d4323d0feab0e15957 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wannengwbinfo.ini
| MD5 | 7b0aac4ff9dbaa7643af98c483f02ffa |
| SHA1 | 2335d99e5c8eab1fcb3b73bd43f63f28d6e451ca |
| SHA256 | e5619321150dc1f6982ebf13e2bf4ba9f8d45fe7ebf6cce847a010809e748474 |
| SHA512 | da329b10c5f934d79f195b6c0d1e00c65df799bf87881baae55ad6d2c945ada951c407a470c4865d98f39222c6fd22009200a06e05fb8aa29f82a5c9dd3e7045 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\ttxw.exe
| MD5 | f67c16319f464404c57a6cdad6dab2d8 |
| SHA1 | b3de9af64f35a8688c6c1a4890b758f25085157a |
| SHA256 | c6474f9d2d4ab08350630841114956132d8b40747d91a943bc66a0bfd361a533 |
| SHA512 | 9168aa46fb17fb9b8a6e0d28cccc2f0db8481031be09c256296fc915a69fddaf55a3693c604f147c5649746f14dd636d6cc8c024989ee5d089607a2d50d35268 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziranma.ini
| MD5 | 7a187c3581532e9674af71d62acf73ce |
| SHA1 | d3154847f9e5acbf00606dabf1395d7e9af75772 |
| SHA256 | efa6b34e97f3d18407bfa227e3b6e5343ec276741a018ee001b8b5169bd5e940 |
| SHA512 | b909f964cf2e3cb473908cb5a67da51502be44a73e4f8f953fdef8f8823eaa5a4bf6d6d6d5787b7e74dd4d88d3ef0ce003e5d631c12ed25891dc1096d8fbbf0c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziguang.ini
| MD5 | 1c138777608d0267a01c1982faa95acb |
| SHA1 | 1e8eda38388b347aa55d82b23b5f4d4501dbf7fa |
| SHA256 | 237b0d9012bc598fc432091b4f4f50a87e403487d1b2c1d15e61862960c56c27 |
| SHA512 | c3e360ab5548a0e9e74e619824f36a4f8a9f805b868b5e837a4426c1150960bbccb0367c0dd5ec961bfca3a09088863f573db465a9f8bcbec3cb99509ba6a18e |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\xiaohe.ini
| MD5 | 00de27aa4722e80364e1540486872ad6 |
| SHA1 | 00abc77afe64bd94c37266f2423b810b2aebda7a |
| SHA256 | df27342537f95622e7fedd734ba668080ce22e63b98f933732cfa18358826eb4 |
| SHA512 | ec22da353106a3dfcc27a80e7facebe58cfb89a32e430cf9d7674497d6aeb3b8b0236da5704395652f192762a22934557335fe21a66a9b7dcff63e04b90debb5 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\pinyinjiajia.ini
| MD5 | fd1837ae270311d4cbb9f5abfc9fc47f |
| SHA1 | e40692501a1d7838e169973f047644995a5176c7 |
| SHA256 | 9a1084d93edc5763c75d94ed18dad9d30e534690a63d91aade6b7a8f6559e0b8 |
| SHA512 | 2d8dc4abfb31ec33334dd135a776a68f9728cb361a60825deced1d15840ff6191459474dddf9b26075b6385c383d5c6dace2a228b8389074f9ed03d3b3b90114 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ms2003.ini
| MD5 | b667d31de86e3e87a8f8d128af0bb8fb |
| SHA1 | 820f2bc0e647c6f2f8a0093a8d79e7740b6a6b16 |
| SHA256 | ff8e629547151ea43ec2261c3b80a4ad77911d8965cb126a542e2d597c5ef565 |
| SHA512 | 5db57f61511a001d0718c64f3cc1f4af4611e4ae70c2917a3c90ec2b175e6b17b3ac5330e58f0dfe415dd9983836a41f36dc2f7c096c81fb35e97f9290fff71a |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\abc.ini
| MD5 | 8c19e1f441c7ce4116c1b1c87bab2ea4 |
| SHA1 | 807c3aadadb40050e95c553241500bbc99a37c1c |
| SHA256 | a05234ed4d989c44770b03505422a4313cf0c8a34162766d7e7771c75cfddcbd |
| SHA512 | dd4b6756e3fce0cca15be2bf8cb9441866164a96e93b6c18b16c3783401934db4f39b315f1850722f8cb222fb97671d0ca9aa9feffa6fc9613b0e8abbcd5d13f |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\scrsnap.exe
| MD5 | 695ab9a7a83ee188be36a2d6396b4aef |
| SHA1 | 028dc6feb77e2498c83204d22183ccfacb88a129 |
| SHA256 | 663d1759874d27e41052ab2a3db7cc4e03bee3acb08fe49b1588169c52959a89 |
| SHA512 | 2078f83d8d5a0b0c0b3f672f318c350e55adce94b1a91aa1bdd2a58dbb0001de8733516fe9f2647b79ef77db1647a230d84fd2e7d77acb00834f37237e8349ac |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\wbphrases.dat
| MD5 | 453f5946cd5aa1fab3a621c02ba13ca0 |
| SHA1 | 774d5f7f4db5841cdd7d28f186d634a53b5e15f7 |
| SHA256 | f957609e64a1bb3d1dd193812c0895f0fae413a8807af9ac8770c5e0939b59d8 |
| SHA512 | 89d8d7487f522784a9e30639139c62d98983acb8a9167b81a25229267dfc7aa0a2f26b3a10c6800603e6c19d43ae409d91351d46e161cf8c31f29620e46d620c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\header.dat
| MD5 | b2780bfc24b6eb1716cdf6f0ce56b5db |
| SHA1 | 337a1053094106cca10aa38a0fb8699c562eb03e |
| SHA256 | 7aed87f85e9da10c4fdc2eddcf28791358aefcf4adf0390b8076bf7c87b6c7b6 |
| SHA512 | 5fa23a001fc02901f5b94ccee007a7bf9d8a6127471b92a979b309672297ada367525a1859efe9a854e72227c0cdc74b715fb471102cbafce4aa447a04784a0c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.idx
| MD5 | dc8d2a5370364b8a7914214a593178cd |
| SHA1 | 0ee4218a416bbd753fb20f482baa8bda9efffdc4 |
| SHA256 | f3ccc5d6d199bb88a4f0383b7c0079090a90ec547b1320bc13cfb26f577c9fc3 |
| SHA512 | 4e90443b304ccee6104c8d132d9176fd55c383f8570cb3eab755c22067cc4fc37bb1fbfac960ab3430535278cf7e98dd6ecb8b2fe580807275d2e4523917d358 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.dat
| MD5 | 66194e6414f9142db59bd19cbfe3f891 |
| SHA1 | 3cc8bb6d7fc70c54a429e156a2f829978fa00941 |
| SHA256 | c8377cd117f9279fdf983660525ae57f5241081ca078ad3b72735c79427a44a5 |
| SHA512 | d7f5b925b358037f568fcb9e78a20faa21125f0a13f6f07bf1e0599bb3e85041ef7a5520bab3cbf6d8878649a755802608d035a40652130b4e14bcc5fb1416ea |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.idx
| MD5 | 2ae94b7c9295ce2e4703f9fa4cfa5aed |
| SHA1 | 36a7941c8c3f6db4fdd9253d8b795133220a5af2 |
| SHA256 | 3f6f51e3f908d4e4865ded188c4fb5c820016aa81a1c58b0c9d57696c56553e0 |
| SHA512 | ac1518fd4a6727bbf4c0bbcee23a83bd72814ababa0038c966ea11d293f6788777d97e76e504edd1028f577286b5cfdece5fd375c67dc20c7fee0941cc30d929 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat
| MD5 | e3ec7d071cf338406e2ae25ae1de837c |
| SHA1 | d291f28dbc3c5c4073190f9d4b59e192bdd5bc00 |
| SHA256 | 70aecbd98b655a83b1a1cff8b99e15989a4befcff22940a31e78f0cd6ae002b5 |
| SHA512 | 1a2d07151c03797e2969f4f559df4c814684ebcab4b837ec7ab4b6e881db6f9220b4322799ec86b3c9cebee1fe447e69fdcea3ba5e560ff6b182a517de71c7a7 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\PYPhrases.dat
| MD5 | 8ec0355207fbe37b7a42b4694867c679 |
| SHA1 | 16ca274096abd242a5848d930eec3548f446f561 |
| SHA256 | ca96656b5076ad0e4ea7c2f4abb9c2c83112b5f30fb2c67a4032377da2757c8a |
| SHA512 | f6f9e075ca04b99ce1a92c75567713360d4c21489801e2e0a911033a4b4002e67fe2371bee8b9243678affb8083f2ab801a64df8352b188b38435c583ceadac3 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.dict.dat
| MD5 | 4f37c718863b2ebfae4a1dfc468d5b3e |
| SHA1 | aea4952b9c7aa7ac82a8fac1ab146104527cd9ba |
| SHA256 | e08399c01d272ab9002c8cfc248eeddd741dd30f2cd99f9c58b046b8d852e2f7 |
| SHA512 | b00f0545b382af35c6372070ba6c79ea3df5bf6dfc04012d2838fe6692da6cb85ca2dcbc7fc6f5541bde8ce3d1b9917de9b8dfcb3384b9b4bc463b9719596cbc |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\lx.dat
| MD5 | a2e1316bfb1b91f41608b3eff971f14c |
| SHA1 | fa610407b7e00af14e524fe850b1f1da33bc0bd1 |
| SHA256 | 4537e4b2f190b234bb585a4dcc7e4bef802d128fd2272f84fcfaee29011b30d0 |
| SHA512 | aedd29442c93904ac8b057eb7c37611bca7c47737e626000cb509bc761d95799d120844d1f896db777927062b1de02a3e3e9e67b84ea3de9c0a9f09c3426827d |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.idx
| MD5 | 9345156077f965a5b9becb2f666fcd4d |
| SHA1 | a2942102b142a255d4d752b7a0ac352f135f1e73 |
| SHA256 | e56f4ca0ee34027332842baa54269229a683a0ca38016d44a62251188ca0a7b7 |
| SHA512 | 379b73ecbcc136a558b7aed7671bf1089ad6f1ac0db012bfa35e752e62e812ab54c55b4301dba285d207b6d726b1a4183027b1c99f82898ebe003ede6b49804c |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat
| MD5 | 5cd6826ccc90628e18e0c748c1ddb228 |
| SHA1 | 853b56b15832b3fa71adc94346b23a3ed57124f8 |
| SHA256 | 49124db852ebfe68eb87159e96edb2fb65c61da3b611c8395b4443a2f33fa82f |
| SHA512 | 11615b74fccf2cf4e0586660acfba55be7a51f83a2eb3c1889a77475197de8f338f13972036ca8ebdc1867f9990edef8525b8f3b7d4eb85bc1fa2604eb0979b7 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\dz.dat
| MD5 | cbb821b7649b301473d6ddc1f205347c |
| SHA1 | 222bceceb822ca01ba97f8340887679b49dec14e |
| SHA256 | 2c7048a15f2c9b9ee4b222ff59e3e70c11a5c3d5a7dc1c71a6ea568c773964ee |
| SHA512 | c1fffe2c3904c731bf825c8cec84189c1eb5d2aa3c2b541dde0a2ac61c7d16055f22374cbe608015f71343b2e437b2366105fff26f0571bccf8135c02b2aef42 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx
| MD5 | 5960cc64e17b3e24c2eab1b437acfbf1 |
| SHA1 | 873d156d75beccb63e8f28fa113746cdd5e580d5 |
| SHA256 | 7c2259f62ad84ea005cc1af6d6cfaa18808e1c8bc31a4e01727f63eb63d76f39 |
| SHA512 | bbc0a748ddbd457d1c36d7e170b1c75370d0060a35f0f9697f14d43fe8ebd73320984cbc4b73c9b0a6b4a7d8ad51f1bdc71b5e223d859f6e46249f660b6b7cf3 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.dat
| MD5 | daff0d8a8977274af7c8408d1573642e |
| SHA1 | d9bc49151004c7be355f40d9f62d23944dfa5166 |
| SHA256 | 38a35820e2bfcd02e3da4a3e05b8c9bfff50b5d3e26ff7115dc0cfdbd0cb1b10 |
| SHA512 | 2a9a209a35c794a94c07a3a030a14d0595f7fb6a107c864f712c58746485684b80da29efa9e07cc68b9cb4fa33e28972be0120360e39930e190c448946a4a25d |
C:\Program Files (x86)\WanNengWBInput\__.txt
| MD5 | 1521294de4b25e37c39cc0756c90b9a3 |
| SHA1 | 1f7e6f4430d20ac7e12df089c46c6718c78aa1fc |
| SHA256 | 80eabe7b9d206602187e07cce75191757787a1582045f289d3ed0e054a7de47e |
| SHA512 | 066d6ac39f02d7793003d5a7b6fd3340e4c594638c08a6da3b05f9680df63df82415f57afae9eba920431c6bf673d046d88648b5dfdbfedd55b8352b8dd859c8 |
C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
| MD5 | b0594248b7d76aa6c865d26ed0bd0c11 |
| SHA1 | 7ac533564ae5e27e37738d454d27b05e6f25e241 |
| SHA256 | 7c1ff9ce73430ebaac99835316cbcd466ec68bced186a735336937bb67024ed1 |
| SHA512 | 494d61954eb197c3e3603605ffd67b0e912716975e92a5e1c4a5362ab06d471da22bc192be4a0a233982759c81bf792dba6387dbab85d39a766807b99b71530b |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini
| MD5 | fa8cb01651751dcf9c550cce47799615 |
| SHA1 | 65d433e5efb35e2fd35b9749f9ab70707295a8c9 |
| SHA256 | 0d46c28e1b76acada13683aeb9349ad40dfa798787cf2b0562983303bc4ed74d |
| SHA512 | c14ffcb4ea3d2c3c1da9129223b2686417f4aa435d3e96745e1f2062cbb5bc4953754417f4db2c5cf480bc84153bb2493f268928297ede095b1f6314343c989c |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini
| MD5 | 10b382595fda635418d30880be8fbe2b |
| SHA1 | 8af1cf248e9aadfc5e69941810d08fb7800c6053 |
| SHA256 | 08d48d152750069ce636eee0e5f8ec84bacb5606f1f42df67545800ff4d62332 |
| SHA512 | ee9f8a220ba18f95ec1b26bb3d34ee797910c8c6c56222c4c7bf27b28633ae406fb39be415f2807d5de670c0b5ec6fd635f477a48d58c3a1f2f08d23d5e78258 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini
| MD5 | 2da784ee50e7e8f867e15b6f4a4ec136 |
| SHA1 | 058c25deaecf5a7769e9117c8c7ba02d64af637c |
| SHA256 | 780596e1bb7ec55695f9aa585df6d94b89f002c11cd6e0cb5c8b260d95853e36 |
| SHA512 | afd4a42f1c5f62c75c4b4abf7b70620bb66c2feacd2760c0cdf7bec2312772d1e97aa83f8c2e46de7432916c1ef2bc84f2ff19322b486db05ae617cb8d63c988 |
memory/1548-5434-0x0000000001060000-0x00000000010FB000-memory.dmp
memory/2020-5449-0x00000000032C0000-0x000000000335B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 39f773c06f5252edbd73acb5291e7a98 |
| SHA1 | 03ba4a906a79c212871142886b09aa0f2f0c18c1 |
| SHA256 | 49d896f60fc169cf775b3187979480e9abe3fa91333abb05d88f6baa0cc35d7e |
| SHA512 | 073b10e47efaca4fe0b1b9bb5c87ae1309a6f8ddde61bcd2d098e8f133a5bd4336e5a0eabaea2f2eceef0b7d9b59eb53ab0efcf7a0abc6d5b4e119f2a437a080 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 000256a5f500f217f6244738ac2b8567 |
| SHA1 | 0c919bf7ab724958a5a37df6f0406d404646cdca |
| SHA256 | 4093091bb7272ea204f4cbe2f5e8c29360d6ac98aa48a3191557fefac25a772a |
| SHA512 | a7323cfe7d8ac526aaa15a9f8d31ec8b775fb4febfd4ca9f3676e534600044a36573a036a679e476d390bf80fc535568f571699192b20f544e1853940044679d |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | e71f85ade74f7ddc1a4072981728e6e7 |
| SHA1 | c6998a865178b91d094dcf6d4b24ad6e6c971d03 |
| SHA256 | ce3580719cad2f89a2aae4f07c6118808193d479b050e784412cea3059b2cf22 |
| SHA512 | da7b7b7b48b74020eec387fd6cb17db35b48c1176b262e7938ef8f965452ff6c559dc6bfd538803dbf32876a7819a8cbf94d93d93d4bc487f36ad7deccf8d311 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | e691d767fe4a990d322b37e02a0323ef |
| SHA1 | c353ea3203b0d44332a1235c260dea13a38b5021 |
| SHA256 | cb7f31a0b9f55b6e8a654738e1c85d88a7e0beccfa62a113d52aee1dd6d552d6 |
| SHA512 | 1f944d8034b23c727c72b7775b4da80a3f64773687868bf02983844f5f5e83b34c48fbbb5f89cc760a86e532408d74ad9aa04d67556926db0e10c7ac1b750aeb |
memory/1384-5511-0x0000000003BA0000-0x0000000003C3B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | e318e41d490045e623ecfc986ddf9a56 |
| SHA1 | c06d162589ed964b5739adb2cc4e55a8a323ffef |
| SHA256 | b68ad34724083bdb7ad905035e314390f93424b798ba2edd4933280a0def8403 |
| SHA512 | 699f594c6e26a91e1bba3767a0dda4f500ac813609777503130d95dfaa617b173a87709fe0adc10bac15dff801896df53579ac43efd6d329f332c32dae639493 |
C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini
| MD5 | 687ddc9021b85d1bafd73d2047c8aaed |
| SHA1 | f472a13979892e6701723da0cbb4649d5bed0c2e |
| SHA256 | 20a49a3c2403d3da33477739a8249446b358f5213f9f9a8bcee56b414aefb255 |
| SHA512 | 7a800b8050c8047bf0a2ad705f69ded54944c61cefcc189e24525b2888b492100b2186a934eec4638a26420c7f8e3b390137329ad435e2e43f96119e517448b3 |