Malware Analysis Report

2024-09-23 13:13

Sample ID 240612-rd82fsxfqd
Target a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118
SHA256 0ae4b5b1b26c249a955feb8ef12eb4269020542ece9d928949570c1e017b4a80
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

0ae4b5b1b26c249a955feb8ef12eb4269020542ece9d928949570c1e017b4a80

Threat Level: Shows suspicious behavior

The file a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Windows directory

Executes dropped EXE

Drops file in Program Files directory

Loads dropped DLL

Checks installed software on the system

Registers COM server for autorun

Enumerates physical storage devices

Modifies Control Panel

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:05

Reported

2024-06-12 14:08

Platform

win7-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WNMutualRunOne = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnCore.exe RestartRunOneProgram" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\Wn.ime C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File opened for modification C:\Windows\system32\Wn.ime C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File created C:\Windows\SysWOW64\Wn.ime C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnConfig.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\PYPhrases.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\wb.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.idx C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\Header.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\__.txt C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnPlugin.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnwb.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.idx C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.idx C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNTSF64.ime C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\lx.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\TTXW.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\ABC.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNCloudHelper.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn64.ime C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeBrokerPS.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil64.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\yy.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnSkinInst.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\dz.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\gbk.idx C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\___.wnpf C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.markov.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\ZiGuang.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.idx C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeBroker.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\PYPhrases.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\MS2003.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnMoniter.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.phrase.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\XiaoHe.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadNetworkName = "Network 3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\56-42-83-c4-9d-5b C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = 90a617c4d1bcda01 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionReason = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionReason = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = 90a617c4d1bcda01 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecision = "0" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecision = "0" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wncl C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\DefaultIcon C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf\ = "WanNengWBImeSkinFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\ = "WanNengWBImeDictFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\DefaultIcon C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\ = "WanNengWBImeSkinFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnSkinInst.exe\" -install %1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnSkinInst.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open\command C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe\" -install %1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wncl\ = "WanNengWBImeDictFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2544 wrote to memory of 2540 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2544 wrote to memory of 2540 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2544 wrote to memory of 2540 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2544 wrote to memory of 2540 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2544 wrote to memory of 2596 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2544 wrote to memory of 2596 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2544 wrote to memory of 2596 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2544 wrote to memory of 2596 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2544 wrote to memory of 2080 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
PID 2544 wrote to memory of 2080 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
PID 2544 wrote to memory of 2080 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
PID 2544 wrote to memory of 2080 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
PID 2104 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2104 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2596 wrote to memory of 2784 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2596 wrote to memory of 2784 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2596 wrote to memory of 2784 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2596 wrote to memory of 2784 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2224 wrote to memory of 3052 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 2224 wrote to memory of 3052 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 2224 wrote to memory of 3052 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 2224 wrote to memory of 3052 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 2224 wrote to memory of 1796 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 2224 wrote to memory of 1796 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 2224 wrote to memory of 1796 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 2224 wrote to memory of 1796 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 2224 wrote to memory of 2556 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2224 wrote to memory of 2556 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2224 wrote to memory of 2556 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2224 wrote to memory of 2556 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2224 wrote to memory of 1424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 2224 wrote to memory of 1424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 2224 wrote to memory of 1424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 2224 wrote to memory of 1424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 2556 wrote to memory of 1500 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 2556 wrote to memory of 1500 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 2556 wrote to memory of 1500 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 2556 wrote to memory of 1500 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 1796 wrote to memory of 584 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 1796 wrote to memory of 584 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 1796 wrote to memory of 584 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 1796 wrote to memory of 584 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 2556 wrote to memory of 1492 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 2556 wrote to memory of 1492 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 2556 wrote to memory of 1492 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 2556 wrote to memory of 1492 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 2556 wrote to memory of 1924 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2556 wrote to memory of 1924 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2556 wrote to memory of 1924 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2556 wrote to memory of 1924 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2556 wrote to memory of 1900 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2556 wrote to memory of 1900 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2556 wrote to memory of 1900 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2556 wrote to memory of 1900 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe"

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" InstallWuBiSpreadOperate JaffaCakes118240612

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" CheckSysMb

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe" RunAutoLoadDict

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe" /InstallIME Wn

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateStartMenu

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateWGDestTopShortCut

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" DownloadCellDictMb 2476,6904,6448,6452,6446,6447,6913,2491,4174

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe" StartService

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe" CheckInstallIme

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe" RunCloud

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" SoftExtraOperate

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe" RunAuto

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunPushMessageBySrfAuto

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" CloudHelper

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe" AutoLogin

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" UpLoadUserTypeInfo

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" QueryAppInfo

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunServerCmd

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetSrfCompWndSpreadLink

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetWindowPopData

Network

Country Destination Domain Proto
US 8.8.8.8:53 tjv1.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 dqxb.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 tjv3.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 tjv3.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 update.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 tjv3.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 ua_upconfig.wnwb.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 downsrf.eastday.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 theuser.wnwb.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 df.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 tjv1.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 tjv1.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp

Files

\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

MD5 73cf4d8b60648fa84617ac9804f48f29
SHA1 fd12af2bca8a09394b99c848c4bc507248512359
SHA256 8154ce3a561f7a39e984d875933d8f5825c53e192b9c03f6ffab4df330a0f1f8
SHA512 95bda0498bddbb08ba67ac03c3cebf4e8c7063525b9783d249c5882bbd788610daa545e105f028d7cad9cd253ec80fb0f4e1215a620ac8a5a903042a47a6386d

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini

MD5 caf10e2ed911f4e676c7de972222a9a3
SHA1 05726d27e3dca8628aee576933b98491f553e3c8
SHA256 fbd3651c51a18dc181752864f443c166b3d521cbd23a50264dc51bb248957669
SHA512 e0c6a56f89282ff10704742966eb42ca58ecd8b909b49c8bbc8b1801d32e6baa1ac0bf74da1a9fcc6cb577d42fd67848ff673f49583ea52ae27090d98bb93925

C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini

MD5 b92aeb3cd3c5f3c0e6840b5220758a59
SHA1 38b24727a298d5aec3ecfc42b71e51c1146a5063
SHA256 4db5dcba3d9f597892ce8ae2619f38d0ef1a843fe19fdeca506884f33cbcaa64
SHA512 75b2eae3a5e088fea8b44a381a27292836e5eadf9166dcf09460c7347d1ef66bda899c02143a6fcc27b9a3110c034ebe46e5628ab40b92dab9bea88a06f271e4

\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

MD5 c88cfb5d130b7f971922584976ef23f8
SHA1 5c06fd6eb51482fbbb7d10fb93ca6d0f84402830
SHA256 1fc17489fda6627c2105e0ce5901b4e73ee0acb8cf7344c9b26b0d9b909bf2b0
SHA512 eedb196c17f746556a50ebf619ea17d54861ae74edcd1efa623d9c95189e99124155b87e05b86810c61c55b0b0fce944658c4c7a52698771a6b435f3d20c84b6

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe

MD5 1c303a4d36d0f0899a4b814bfa882fd5
SHA1 2d772b40209b01bbbc23fcb2f4963a924d0b2deb
SHA256 15fa4fd8a148f89812893256647e1d412c0e8ed480edf89004f36cd041b1ba05
SHA512 9baad17e2e99944493bfb646b813b59bf169246cafc3ba7942434b8ab3e78c39e4892b1eaf36482ae886713b1a4b3b21978945f3d4fe0515b51fff15b512f878

\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe

MD5 b0594248b7d76aa6c865d26ed0bd0c11
SHA1 7ac533564ae5e27e37738d454d27b05e6f25e241
SHA256 7c1ff9ce73430ebaac99835316cbcd466ec68bced186a735336937bb67024ed1
SHA512 494d61954eb197c3e3603605ffd67b0e912716975e92a5e1c4a5362ab06d471da22bc192be4a0a233982759c81bf792dba6387dbab85d39a766807b99b71530b

\Program Files (x86)\WanNengWBInput\9.7.0.0426\DuiLib32.dll

MD5 a3818800ad55631ece2c6389f58c437e
SHA1 fa527223fa27279cf9ea960b86cc8df06515a006
SHA256 06e248ca24fcedb2c4da03a0aee95b21ff396329b5dd84a84f0729f84b151f79
SHA512 999497bc97cfb7d00b74a66b13778f013a1e37b700d8d5ca7e7698f69ac8246d47ada98d0ec7e973d1d47da403541a4e053428f6e42a2fe5ac1009d777d7f2fd

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini

MD5 7b0aac4ff9dbaa7643af98c483f02ffa
SHA1 2335d99e5c8eab1fcb3b73bd43f63f28d6e451ca
SHA256 e5619321150dc1f6982ebf13e2bf4ba9f8d45fe7ebf6cce847a010809e748474
SHA512 da329b10c5f934d79f195b6c0d1e00c65df799bf87881baae55ad6d2c945ada951c407a470c4865d98f39222c6fd22009200a06e05fb8aa29f82a5c9dd3e7045

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\wb.idx

MD5 2ae94b7c9295ce2e4703f9fa4cfa5aed
SHA1 36a7941c8c3f6db4fdd9253d8b795133220a5af2
SHA256 3f6f51e3f908d4e4865ded188c4fb5c820016aa81a1c58b0c9d57696c56553e0
SHA512 ac1518fd4a6727bbf4c0bbcee23a83bd72814ababa0038c966ea11d293f6788777d97e76e504edd1028f577286b5cfdece5fd375c67dc20c7fee0941cc30d929

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\PYPhrases.dat

MD5 8ec0355207fbe37b7a42b4694867c679
SHA1 16ca274096abd242a5848d930eec3548f446f561
SHA256 ca96656b5076ad0e4ea7c2f4abb9c2c83112b5f30fb2c67a4032377da2757c8a
SHA512 f6f9e075ca04b99ce1a92c75567713360d4c21489801e2e0a911033a4b4002e67fe2371bee8b9243678affb8083f2ab801a64df8352b188b38435c583ceadac3

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Wn64.ime

MD5 2d57bcf8a1cb08e5e34ce9d76920806e
SHA1 af09022574afbde10c836dfec06c9d19fd918fb3
SHA256 57f23bc27f1dde714edb96c867dbd7bab49bb06aaf46c6d88b412e738fb7058c
SHA512 556ae808a59ed557c72922da3194d316d6cfb03b856469ab998bae83af4eae769faadba10f0cb5c97e622adfa0d1c4e933361279d6ddc62af9bf14e7c4869c95

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 208635cdb80866db41c09ce7041ff544
SHA1 238f88eaa2f599efd4e0d88284ef6ad44daf8e0e
SHA256 f13e099b9407c4218ddd6139d9098fb4a0938e1078180ba50735158769672464
SHA512 5cb1779cdfb4e6a79354dc487e9abc412bb006cfc9b2957199881f5059e2bcc8f274a7daa6654a344c1f12b9fa24cdb9269de0a2763aa69cf4af9a6c1af8f228

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.idx

MD5 dc8d2a5370364b8a7914214a593178cd
SHA1 0ee4218a416bbd753fb20f482baa8bda9efffdc4
SHA256 f3ccc5d6d199bb88a4f0383b7c0079090a90ec547b1320bc13cfb26f577c9fc3
SHA512 4e90443b304ccee6104c8d132d9176fd55c383f8570cb3eab755c22067cc4fc37bb1fbfac960ab3430535278cf7e98dd6ecb8b2fe580807275d2e4523917d358

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\_____.wnpf

MD5 ce980d401119ba58791fefd113cbf26d
SHA1 780a170e4ebb440d6528828a5ba05100f56c0681
SHA256 83b50cf01aa2548459052a8f8515784c7e2d682028919ec713b92ed19a7dd8b8
SHA512 5b67f6e94eb4a9d9b32f5c36355d17bdf91dd5d1c134153710a147bcc2ac13a2d6f3ac987ef67563c89dd23a86bffdee3d858b0d84454b6800802af262199dca

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\____.wnpf

MD5 a27fa6e5270a704d1bfb65a1fbcebfd8
SHA1 6bff0aed16f06b30acd005e215734caca8d11812
SHA256 d0a11eb04ab745790bafc34c5b0bd13d2798669e7c77017c95c31712543b218a
SHA512 e1bafd08db5974868d0127c81bd7db0b6d47fa42ef0fa5924a1b28ff270ec74a5710dd37587578d1da712c4b84620043a38e6ac9113cd5868a5c18dafb3404dc

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\___.wnpf

MD5 0c3ab7880f71f521a6405cad27a06e46
SHA1 eae5ad330b4a0ca346a89c6c005ed913fc8e9e07
SHA256 cf33679af59ba9649f7d838d37bd016e1ba2bf82479527a47e598460d479388b
SHA512 5e127b683d53057cc14200637c177ab612bb6e7d1e7e45bc401ad24a0d488cfd1614e9a62954f82531f5c90d58f2b32c7d072ef4e0e7112cf151d2b097d26668

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnconfig.exe

MD5 f3dacf5114d0a6d337cc28b1bc8aae51
SHA1 32c8cc756717b4dda65ba30d96e52f0058d6364a
SHA256 e33c9ee1d03df84b3b340a9298738091ad5dbeb06ab6c5df5fc0132715528db6
SHA512 e1d6db26c7a94adc7689adcf602e088ed76b05bb85e24a0460ff53470fcafbaac5725e126d832927faf5068ff6ea8779deed493d563e28a93a2b6d4c5a46101e

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloudhelper.dll

MD5 5b4786b0e75ef5955b8f3fb97dae34a0
SHA1 541f13c7028879533f7aed07a957c48ba49c0127
SHA256 29a83e2487171dd42513ff28e6716e8978656c4c3d826e91a68081eb426d56ce
SHA512 177b9d475da40a6375ba4c782be670b377a005328c225cbc4990ed36dd3253108b298b5f4c160f273f5421be70a7ec2b0cce4ee50247e2621bf6bef34025256f

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloud.exe

MD5 f588002585b8188262ab057550980aca
SHA1 33a8a9c9c095868c5f9127f43c849906e7ec7c09
SHA256 94801f62781ec3654ebf72ed3b589c3e8c4bb222a7f0bd508f8e17923c4b4ee4
SHA512 bd78055e5eb75dc0091f55c110582b94542d783818749473111c7c85fde1b83845a72ab57761ca4539d778c781b57a617ab0853e45fdd62b86e3d9b3b293b2fc

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnaccount32.exe

MD5 050bf1429acf8bad2ef48ba135e6d286
SHA1 72c40aebc08d13ea084bf05ec2a02beece58fafe
SHA256 4588275806e684f317028c2cc57d30028d47b69e3713a8e0d6566c818b5cc468
SHA512 1b2085645a886006baebd6bde06962d9d4818d90f727bb7852c5737e8763d26af8a5cfb5d7defc1a2460da871c2dd8b6d03786745b236dbe8d81d2152d134f35

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\ttxw.exe

MD5 f67c16319f464404c57a6cdad6dab2d8
SHA1 b3de9af64f35a8688c6c1a4890b758f25085157a
SHA256 c6474f9d2d4ab08350630841114956132d8b40747d91a943bc66a0bfd361a533
SHA512 9168aa46fb17fb9b8a6e0d28cccc2f0db8481031be09c256296fc915a69fddaf55a3693c604f147c5649746f14dd636d6cc8c024989ee5d089607a2d50d35268

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziranma.ini

MD5 7a187c3581532e9674af71d62acf73ce
SHA1 d3154847f9e5acbf00606dabf1395d7e9af75772
SHA256 efa6b34e97f3d18407bfa227e3b6e5343ec276741a018ee001b8b5169bd5e940
SHA512 b909f964cf2e3cb473908cb5a67da51502be44a73e4f8f953fdef8f8823eaa5a4bf6d6d6d5787b7e74dd4d88d3ef0ce003e5d631c12ed25891dc1096d8fbbf0c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziguang.ini

MD5 1c138777608d0267a01c1982faa95acb
SHA1 1e8eda38388b347aa55d82b23b5f4d4501dbf7fa
SHA256 237b0d9012bc598fc432091b4f4f50a87e403487d1b2c1d15e61862960c56c27
SHA512 c3e360ab5548a0e9e74e619824f36a4f8a9f805b868b5e837a4426c1150960bbccb0367c0dd5ec961bfca3a09088863f573db465a9f8bcbec3cb99509ba6a18e

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\xiaohe.ini

MD5 00de27aa4722e80364e1540486872ad6
SHA1 00abc77afe64bd94c37266f2423b810b2aebda7a
SHA256 df27342537f95622e7fedd734ba668080ce22e63b98f933732cfa18358826eb4
SHA512 ec22da353106a3dfcc27a80e7facebe58cfb89a32e430cf9d7674497d6aeb3b8b0236da5704395652f192762a22934557335fe21a66a9b7dcff63e04b90debb5

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\pinyinjiajia.ini

MD5 fd1837ae270311d4cbb9f5abfc9fc47f
SHA1 e40692501a1d7838e169973f047644995a5176c7
SHA256 9a1084d93edc5763c75d94ed18dad9d30e534690a63d91aade6b7a8f6559e0b8
SHA512 2d8dc4abfb31ec33334dd135a776a68f9728cb361a60825deced1d15840ff6191459474dddf9b26075b6385c383d5c6dace2a228b8389074f9ed03d3b3b90114

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ms2003.ini

MD5 b667d31de86e3e87a8f8d128af0bb8fb
SHA1 820f2bc0e647c6f2f8a0093a8d79e7740b6a6b16
SHA256 ff8e629547151ea43ec2261c3b80a4ad77911d8965cb126a542e2d597c5ef565
SHA512 5db57f61511a001d0718c64f3cc1f4af4611e4ae70c2917a3c90ec2b175e6b17b3ac5330e58f0dfe415dd9983836a41f36dc2f7c096c81fb35e97f9290fff71a

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\abc.ini

MD5 8c19e1f441c7ce4116c1b1c87bab2ea4
SHA1 807c3aadadb40050e95c553241500bbc99a37c1c
SHA256 a05234ed4d989c44770b03505422a4313cf0c8a34162766d7e7771c75cfddcbd
SHA512 dd4b6756e3fce0cca15be2bf8cb9441866164a96e93b6c18b16c3783401934db4f39b315f1850722f8cb222fb97671d0ca9aa9feffa6fc9613b0e8abbcd5d13f

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\scrsnap.exe

MD5 695ab9a7a83ee188be36a2d6396b4aef
SHA1 028dc6feb77e2498c83204d22183ccfacb88a129
SHA256 663d1759874d27e41052ab2a3db7cc4e03bee3acb08fe49b1588169c52959a89
SHA512 2078f83d8d5a0b0c0b3f672f318c350e55adce94b1a91aa1bdd2a58dbb0001de8733516fe9f2647b79ef77db1647a230d84fd2e7d77acb00834f37237e8349ac

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\wbphrases.dat

MD5 453f5946cd5aa1fab3a621c02ba13ca0
SHA1 774d5f7f4db5841cdd7d28f186d634a53b5e15f7
SHA256 f957609e64a1bb3d1dd193812c0895f0fae413a8807af9ac8770c5e0939b59d8
SHA512 89d8d7487f522784a9e30639139c62d98983acb8a9167b81a25229267dfc7aa0a2f26b3a10c6800603e6c19d43ae409d91351d46e161cf8c31f29620e46d620c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\header.dat

MD5 b2780bfc24b6eb1716cdf6f0ce56b5db
SHA1 337a1053094106cca10aa38a0fb8699c562eb03e
SHA256 7aed87f85e9da10c4fdc2eddcf28791358aefcf4adf0390b8076bf7c87b6c7b6
SHA512 5fa23a001fc02901f5b94ccee007a7bf9d8a6127471b92a979b309672297ada367525a1859efe9a854e72227c0cdc74b715fb471102cbafce4aa447a04784a0c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\config.ini

MD5 578fb92f60250da9d6247e50a8c13e1a
SHA1 f10beb7310a8b933bb8b9450a2ae5d6dbbb1f906
SHA256 e6dd000af22df8f82e856035883dac2468d260f54ea2ebf450cec996b75d7be2
SHA512 99c46badb824a04a3598e7ab85be06e828a860b817ea1a1edc256f7d03778fe48d0e82b61cb3ad1d22431cbeeac578bc6fa9ff5b267d4e84d479e20ddf22a252

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.dat

MD5 66194e6414f9142db59bd19cbfe3f891
SHA1 3cc8bb6d7fc70c54a429e156a2f829978fa00941
SHA256 c8377cd117f9279fdf983660525ae57f5241081ca078ad3b72735c79427a44a5
SHA512 d7f5b925b358037f568fcb9e78a20faa21125f0a13f6f07bf1e0599bb3e85041ef7a5520bab3cbf6d8878649a755802608d035a40652130b4e14bcc5fb1416ea

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat

MD5 e3ec7d071cf338406e2ae25ae1de837c
SHA1 d291f28dbc3c5c4073190f9d4b59e192bdd5bc00
SHA256 70aecbd98b655a83b1a1cff8b99e15989a4befcff22940a31e78f0cd6ae002b5
SHA512 1a2d07151c03797e2969f4f559df4c814684ebcab4b837ec7ab4b6e881db6f9220b4322799ec86b3c9cebee1fe447e69fdcea3ba5e560ff6b182a517de71c7a7

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.phrase.dat

MD5 107912ba37911fe82eb4988cd20e36a3
SHA1 9f91e1f78ad1e5ac9b1755feb12a560a05ec8b13
SHA256 37de573fd8f348b04edaf11bfa41dc89dcdd73b87807abbad3579a202de3c28e
SHA512 242413a4f8b965a6ff01ca046c06046168a61e2df022dd0916b52e22a39e67d591ea464224b6247a23ae7e362d224185fb9cd0fb5c42e55eec1bf7ed2554e375

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.markov.dat

MD5 199b1e07b487dbb76705972fc87b0475
SHA1 722623c68bda6956f49cc77ea53b53adc1489a81
SHA256 49007b2ec759e15198d01d908d10ffb782f037673ba9267a459737c93583000a
SHA512 46accadbd0f089cc3caeb8678972201f3012905f101d3691e7cc695f679c2aa343b842131bb655aa92a980146720ea0678d24120c50bf51662f8365ed919202d

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.dict.dat

MD5 4f37c718863b2ebfae4a1dfc468d5b3e
SHA1 aea4952b9c7aa7ac82a8fac1ab146104527cd9ba
SHA256 e08399c01d272ab9002c8cfc248eeddd741dd30f2cd99f9c58b046b8d852e2f7
SHA512 b00f0545b382af35c6372070ba6c79ea3df5bf6dfc04012d2838fe6692da6cb85ca2dcbc7fc6f5541bde8ce3d1b9917de9b8dfcb3384b9b4bc463b9719596cbc

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\lx.dat

MD5 a2e1316bfb1b91f41608b3eff971f14c
SHA1 fa610407b7e00af14e524fe850b1f1da33bc0bd1
SHA256 4537e4b2f190b234bb585a4dcc7e4bef802d128fd2272f84fcfaee29011b30d0
SHA512 aedd29442c93904ac8b057eb7c37611bca7c47737e626000cb509bc761d95799d120844d1f896db777927062b1de02a3e3e9e67b84ea3de9c0a9f09c3426827d

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.idx

MD5 9345156077f965a5b9becb2f666fcd4d
SHA1 a2942102b142a255d4d752b7a0ac352f135f1e73
SHA256 e56f4ca0ee34027332842baa54269229a683a0ca38016d44a62251188ca0a7b7
SHA512 379b73ecbcc136a558b7aed7671bf1089ad6f1ac0db012bfa35e752e62e812ab54c55b4301dba285d207b6d726b1a4183027b1c99f82898ebe003ede6b49804c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat

MD5 5cd6826ccc90628e18e0c748c1ddb228
SHA1 853b56b15832b3fa71adc94346b23a3ed57124f8
SHA256 49124db852ebfe68eb87159e96edb2fb65c61da3b611c8395b4443a2f33fa82f
SHA512 11615b74fccf2cf4e0586660acfba55be7a51f83a2eb3c1889a77475197de8f338f13972036ca8ebdc1867f9990edef8525b8f3b7d4eb85bc1fa2604eb0979b7

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\dz.dat

MD5 cbb821b7649b301473d6ddc1f205347c
SHA1 222bceceb822ca01ba97f8340887679b49dec14e
SHA256 2c7048a15f2c9b9ee4b222ff59e3e70c11a5c3d5a7dc1c71a6ea568c773964ee
SHA512 c1fffe2c3904c731bf825c8cec84189c1eb5d2aa3c2b541dde0a2ac61c7d16055f22374cbe608015f71343b2e437b2366105fff26f0571bccf8135c02b2aef42

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx

MD5 5960cc64e17b3e24c2eab1b437acfbf1
SHA1 873d156d75beccb63e8f28fa113746cdd5e580d5
SHA256 7c2259f62ad84ea005cc1af6d6cfaa18808e1c8bc31a4e01727f63eb63d76f39
SHA512 bbc0a748ddbd457d1c36d7e170b1c75370d0060a35f0f9697f14d43fe8ebd73320984cbc4b73c9b0a6b4a7d8ad51f1bdc71b5e223d859f6e46249f660b6b7cf3

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.dat

MD5 daff0d8a8977274af7c8408d1573642e
SHA1 d9bc49151004c7be355f40d9f62d23944dfa5166
SHA256 38a35820e2bfcd02e3da4a3e05b8c9bfff50b5d3e26ff7115dc0cfdbd0cb1b10
SHA512 2a9a209a35c794a94c07a3a030a14d0595f7fb6a107c864f712c58746485684b80da29efa9e07cc68b9cb4fa33e28972be0120360e39930e190c448946a4a25d

C:\Program Files (x86)\WanNengWBInput\__.txt

MD5 1521294de4b25e37c39cc0756c90b9a3
SHA1 1f7e6f4430d20ac7e12df089c46c6718c78aa1fc
SHA256 80eabe7b9d206602187e07cce75191757787a1582045f289d3ed0e054a7de47e
SHA512 066d6ac39f02d7793003d5a7b6fd3340e4c594638c08a6da3b05f9680df63df82415f57afae9eba920431c6bf673d046d88648b5dfdbfedd55b8352b8dd859c8

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Wn32.ime

MD5 86199a4308a9a5eb30f3760c7e045ce5
SHA1 e9c92f98467eaa9c30627fb64929dc77cf2d448b
SHA256 4e1243534e1bd888f1cd893c6a3551b1342cc063e2f8f15608d9b52d48a80157
SHA512 727bf17cf5d2fb5010f3f713b336bbc8d1fe545eab7202553771ccc3816c364c15b198d5c1df0db0240284848ba76d35725ba74fa710e2d4323d0feab0e15957

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini

MD5 bbe122341326acd70c1013d812813639
SHA1 2b758e1b8fbdfa578358968aed5676fb9d6a3dcd
SHA256 ab81794ed0775fc8b3bf0789df3af606f92e1be47c19963e5ec1473261e2821d
SHA512 39d74d6ffa84545eb2abcaf52da906991fed56a5603131ba659a8a0cfd77e1c664f88ca9f756c4aa6b73c1a5bdd54b06f015e9dee24c0657d8baa01938ea63ae

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini

MD5 2da784ee50e7e8f867e15b6f4a4ec136
SHA1 058c25deaecf5a7769e9117c8c7ba02d64af637c
SHA256 780596e1bb7ec55695f9aa585df6d94b89f002c11cd6e0cb5c8b260d95853e36
SHA512 afd4a42f1c5f62c75c4b4abf7b70620bb66c2feacd2760c0cdf7bec2312772d1e97aa83f8c2e46de7432916c1ef2bc84f2ff19322b486db05ae617cb8d63c988

memory/2224-581-0x0000000002510000-0x00000000025AB000-memory.dmp

memory/2544-596-0x00000000030A0000-0x000000000313B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 19520b55d7c322e1f0ff242c18fcf224
SHA1 650610527a3bfe5488ec72bfa0cbc6b25a39010f
SHA256 f7a31ed18284578931fc744a1da01834c440d1518a1b43aee4dc67b198785843
SHA512 2c434d8fe834a9047ee36093349c9332e9aa5911bbd81edc140662c3810f61fb81d7aab448d6187f39c77bc117c422b674b700d524e3a51695b0931d4c1141d5

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini

MD5 10b382595fda635418d30880be8fbe2b
SHA1 8af1cf248e9aadfc5e69941810d08fb7800c6053
SHA256 08d48d152750069ce636eee0e5f8ec84bacb5606f1f42df67545800ff4d62332
SHA512 ee9f8a220ba18f95ec1b26bb3d34ee797910c8c6c56222c4c7bf27b28633ae406fb39be415f2807d5de670c0b5ec6fd635f477a48d58c3a1f2f08d23d5e78258

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 07d81df64fa9372dd2bd8d5613fd2b48
SHA1 105333d0c2d3480a18ad274b37b65b81c16a0317
SHA256 8f537182d0bed2b946f8967b91bfc4dd6d2c4bd47f1037835a5aace466eb1a8a
SHA512 3b1c1a1c5993f26450fa7618dff89cab8a7024f13820eee5525954d3012f8be1a93f7d89db66e7b7385b1aa56f464bff596bd4ac06a349fd588a47193538213c

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 a5ff31a9f3070fbdd183dc55e0372751
SHA1 46d2248b16c75ba3b7ef9dbb77a4316cfae1a3a6
SHA256 1110b773f3884b7d3ee505433ea76fd1a7a72d691d7e69e8b2bec72f3eeb7738
SHA512 65d91490757741dfa16dccf769ad86995f0b7bcff4e45044e207201b73db31efc2ea8e10d94917261366344fe211b909dbb2f3aa4d37685c94ce6d67369a074a

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 8075c79a98325ea3ba7adf29d0b3024c
SHA1 aa7839b1b39b811061266de7236cd539da962c59
SHA256 bd3d1e831b9c03d229accb56f87611fadae500ac8b8d2c12758790d8b22a138b
SHA512 6edf1bb96d5080866aac862adc6510b60ef7ec00da5964dc9acd6537293ad3288d0daa1852edf63dbbd18a431db3da792da4c1ef69260979ac546f24dac01619

memory/1500-650-0x0000000002610000-0x00000000026AB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 0a1551508e43c31bf63c94e832c13aac
SHA1 ee342c37a05b5709390160f47435df4b2c8224fa
SHA256 211e3ebb4b50fbcb4c37b0b12ab7b1ab251aba88ef9cfcf248354d90ee65c4e6
SHA512 58db1d49ae9d2d11ce9781d25cf0c6b9e8bdbc67408f525424f05e6fee8d0ff728237c2ef2fbf72865dc8ae8e9c29d806fd14a89bda26e49e6b72a757c083fd2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:05

Reported

2024-06-12 14:08

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WNMutualRunOne = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnCore.exe RestartRunOneProgram" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File opened for modification C:\Windows\system32\wnTSF.ime C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File created C:\Windows\SysWOW64\wnTSF.ime C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File created C:\Windows\SysWOW64\IME\WanNengWB\WnImeBrokerPS.dll C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File created C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Windows\system32\wnTSF.ime C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\gbk.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.markov.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil64.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\lx.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.dict.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\_____.wnpf C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.markov.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Config.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\Header.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\MS2003.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNTSF32.ime C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\yy.idx C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\PYPhrases.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn64.ime C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Skin\____.wnpf C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnSkinInst.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\WBPhrases.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnPlugin.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount32.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil32.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\__.txt C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\PinyinJiaJia.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\TTXW.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUtil64.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\SPSchemes\XiaoHe.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\wb.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WNCloudHelper.dll C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\dz.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\gbk.idx C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\PYPhrases.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnConfig.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\bh.idx C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeBroker.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\yy.dat C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
File opened for modification C:\Windows\ C:\Windows\system32\regsvr32.exe N/A
File opened for modification C:\Windows\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ = "C:\\Windows\\system32\\wnTSF.ime" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowAutoCorrection = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\PreviousPreferredUILanguages = 65006e002d005500530000000000 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\PreferredUILanguagesPending = 65006e002d005500530000000000 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowShiftLock = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\zh-Hans-CN\0804:{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}{1E552381-07D8-4DB8-B086-65EF69BC9965} = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\en-US C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\zh-Hans-CN C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\Languages = 65006e002d005500530000007a0068002d00480061006e0073002d0043004e0000000000 C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowTextPrediction = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\User Profile\ShowCasing = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.2" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppName = "WnCloud.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppName = "WnConfig.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\AppName = "WnTool.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppName = "WnUpd.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{479AD6FA-F38D-46b6-9D7F-221FA8763865}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppName = "WnWordManager.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\AppName = "WnUserPage.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D6D7077F-DA57-4885-A2C3-FA235561C443}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349}\AppName = "WnCore.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\Policy = "3" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{01158BA9-0FC3-444a-9441-1DC6899AE402}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C90AC17-3A35-491e-A096-E793D64B5349} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99CDB849-F9D1-4441-A362-21048E76B760}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94AE6CF1-42AC-47b1-8521-F3A8AC4F03DB} C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{07454508-0669-4ecb-BD15-0993F7158138}\AppPath = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\IME\\WanNengWB" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\ = "WanNengWBImeDictFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WnImeBroker.EXE\AppID = "{9FD1F6B6-A56D-4BCB-87E2-D03AC70661FC}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\0\win32 C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\IME\\WanNengWB\\WnImeBroker.exe" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf\ = "WanNengWBImeSkinFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\AppId = "{b0316d0c-da2f-40e0-9f91-f600caf042dc}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\LocalServer32 C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe\" -install %1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\Version C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\Programmable C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ = "C:\\Windows\\system32\\wnTSF.ime" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ = "C:\\Windows\\SysWow64\\wnTSF.ime" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\ = "WanNengWBImeSkinFile" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wnpf C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib\ = "{60425206-4BDF-46B4-B048-C464D779C333}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell\open C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\ = "ImeCmdBroker Class" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\TypeLib\ = "{60425206-4BDF-46B4-B048-C464D779C333}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\WnImeBroker.EXE C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\Version\ = "1.0" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4} C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32 C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "IImeCmdBroker" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib\ = "{60425206-4BDF-46B4-B048-C464D779C333}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command\ = "\"C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnSkinInst.exe\" -install %1" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4} C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "IImeCmdBroker" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\DefaultIcon C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1} C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\LocalServer32\ServerExecutable = "C:\\Windows\\SysWOW64\\IME\\WanNengWB\\WnImeBroker.exe" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4}\InProcServer32\ = "C:\\Windows\\SysWow64\\IME\\WanNengWB\\WnImeBrokerPS.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\NumMethods\ = "10" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell\open\command C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\WanNengWBInput\\9.7.0.0426\\WnDictInst.exe" C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeDictFile\shell C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32\ = "{33723E1E-1F24-4CF8-9A99-458D099657B4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile\shell C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\0 C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\HELPDIR C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33723E1E-1F24-4CF8-9A99-458D099657B4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33723E1E-1F24-4CF8-9A99-458D099657B4}\ = "IImeCmdBroker" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CB3BC1A-2FD4-4668-B5C5-646329DD489F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WanNengWBImeSkinFile C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4BE9783-8651-4483-9516-8806DBE597B1}\LocalServer32\ = "\"C:\\Windows\\SysWOW64\\IME\\WanNengWB\\WnImeBroker.exe\"" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\FLAGS C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60425206-4BDF-46B4-B048-C464D779C333}\1.0\ = "ImeBrokerLib" C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A
N/A N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 932 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 2020 wrote to memory of 5084 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2020 wrote to memory of 5084 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2020 wrote to memory of 5084 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 2020 wrote to memory of 4772 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2020 wrote to memory of 4772 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2020 wrote to memory of 4772 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe
PID 2020 wrote to memory of 4872 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
PID 2020 wrote to memory of 4872 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe
PID 2020 wrote to memory of 2972 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe
PID 2020 wrote to memory of 2972 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe
PID 2020 wrote to memory of 2972 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe
PID 4872 wrote to memory of 1564 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Windows\system32\regsvr32.exe
PID 4872 wrote to memory of 1564 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Windows\system32\regsvr32.exe
PID 2020 wrote to memory of 3468 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2020 wrote to memory of 3468 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2020 wrote to memory of 3468 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4872 wrote to memory of 432 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4872 wrote to memory of 432 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4872 wrote to memory of 432 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe C:\Windows\SysWOW64\regsvr32.exe
PID 932 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 932 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 4772 wrote to memory of 4296 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 4772 wrote to memory of 4296 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 4772 wrote to memory of 4296 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 1548 wrote to memory of 208 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 1548 wrote to memory of 208 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 1548 wrote to memory of 208 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe
PID 1548 wrote to memory of 2820 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 1548 wrote to memory of 2820 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 1548 wrote to memory of 2820 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe
PID 2820 wrote to memory of 904 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 2820 wrote to memory of 904 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 2820 wrote to memory of 904 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 1548 wrote to memory of 5036 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 1548 wrote to memory of 5036 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 1548 wrote to memory of 5036 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 5036 wrote to memory of 1384 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 5036 wrote to memory of 1384 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 5036 wrote to memory of 1384 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 1548 wrote to memory of 4908 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 1548 wrote to memory of 4908 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 1548 wrote to memory of 4908 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe
PID 5036 wrote to memory of 2424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 5036 wrote to memory of 2424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 5036 wrote to memory of 2424 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe
PID 5036 wrote to memory of 772 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 5036 wrote to memory of 772 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 5036 wrote to memory of 772 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe
PID 5036 wrote to memory of 4160 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 5036 wrote to memory of 4160 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 5036 wrote to memory of 4160 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 5036 wrote to memory of 3716 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 5036 wrote to memory of 3716 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 5036 wrote to memory of 3716 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe
PID 5036 wrote to memory of 1612 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 5036 wrote to memory of 1612 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe
PID 5036 wrote to memory of 1612 N/A C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a0ef212b275d8cdddba3e8e04a181129_JaffaCakes118.exe"

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" InstallWuBiSpreadOperate JaffaCakes118240612

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" CheckSysMb

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe" RunAutoLoadDict

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe" /InstallIME Wn

C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe

"C:\Windows\SysWOW64\IME\WanNengWB\WnImeBroker.exe" /RegServer

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\wnTSF.ime

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32" /s "C:\Windows\SysWOW64\IME\WanNengWB\WnImeBrokerPS.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe /s C:\Windows\SysWOW64\wnTSF.ime

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateStartMenu

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" CreateWGDestTopShortCut

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" DownloadCellDictMb 2476,6904,6448,6452,6446,6447,6913,2491,4174

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnService.exe" StartService

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnImeManager.exe" CheckInstallIme

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCloud.exe" RunCloud

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" CloudHelper

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" SoftExtraOperate

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunPushMessageBySrfAuto

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUpd.exe" RunAuto

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnUserPage.exe" AutoLogin

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe" UpLoadUserTypeInfo

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" QueryAppInfo

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnTool.exe" RunServerCmd

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetSrfCompWndSpreadLink

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

"C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe" RunGetWindowPopData

Network

Country Destination Domain Proto
US 8.8.8.8:53 tjv1.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 config.wn51.com udp
US 8.8.8.8:53 dqxb.wn51.com udp
US 8.8.8.8:53 theuser.wnwb.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp
US 8.8.8.8:53 downcell.wn51.com udp

Files

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnCore.exe

MD5 73cf4d8b60648fa84617ac9804f48f29
SHA1 fd12af2bca8a09394b99c848c4bc507248512359
SHA256 8154ce3a561f7a39e984d875933d8f5825c53e192b9c03f6ffab4df330a0f1f8
SHA512 95bda0498bddbb08ba67ac03c3cebf4e8c7063525b9783d249c5882bbd788610daa545e105f028d7cad9cd253ec80fb0f4e1215a620ac8a5a903042a47a6386d

C:\Program Files (x86)\Common Files\WanNengWBInput\WanNengWB.ini

MD5 b92aeb3cd3c5f3c0e6840b5220758a59
SHA1 38b24727a298d5aec3ecfc42b71e51c1146a5063
SHA256 4db5dcba3d9f597892ce8ae2619f38d0ef1a843fe19fdeca506884f33cbcaa64
SHA512 75b2eae3a5e088fea8b44a381a27292836e5eadf9166dcf09460c7347d1ef66bda899c02143a6fcc27b9a3110c034ebe46e5628ab40b92dab9bea88a06f271e4

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WanNengWBInfo.ini

MD5 caf10e2ed911f4e676c7de972222a9a3
SHA1 05726d27e3dca8628aee576933b98491f553e3c8
SHA256 fbd3651c51a18dc181752864f443c166b3d521cbd23a50264dc51bb248957669
SHA512 e0c6a56f89282ff10704742966eb42ca58ecd8b909b49c8bbc8b1801d32e6baa1ac0bf74da1a9fcc6cb577d42fd67848ff673f49583ea52ae27090d98bb93925

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWordManager.exe

MD5 c88cfb5d130b7f971922584976ef23f8
SHA1 5c06fd6eb51482fbbb7d10fb93ca6d0f84402830
SHA256 1fc17489fda6627c2105e0ce5901b4e73ee0acb8cf7344c9b26b0d9b909bf2b0
SHA512 eedb196c17f746556a50ebf619ea17d54861ae74edcd1efa623d9c95189e99124155b87e05b86810c61c55b0b0fce944658c4c7a52698771a6b435f3d20c84b6

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\DuiLib32.dll

MD5 a3818800ad55631ece2c6389f58c437e
SHA1 fa527223fa27279cf9ea960b86cc8df06515a006
SHA256 06e248ca24fcedb2c4da03a0aee95b21ff396329b5dd84a84f0729f84b151f79
SHA512 999497bc97cfb7d00b74a66b13778f013a1e37b700d8d5ca7e7698f69ac8246d47ada98d0ec7e973d1d47da403541a4e053428f6e42a2fe5ac1009d777d7f2fd

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnWizard.exe

MD5 1c303a4d36d0f0899a4b814bfa882fd5
SHA1 2d772b40209b01bbbc23fcb2f4963a924d0b2deb
SHA256 15fa4fd8a148f89812893256647e1d412c0e8ed480edf89004f36cd041b1ba05
SHA512 9baad17e2e99944493bfb646b813b59bf169246cafc3ba7942434b8ab3e78c39e4892b1eaf36482ae886713b1a4b3b21978945f3d4fe0515b51fff15b512f878

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\skin\___.wnpf

MD5 0c3ab7880f71f521a6405cad27a06e46
SHA1 eae5ad330b4a0ca346a89c6c005ed913fc8e9e07
SHA256 cf33679af59ba9649f7d838d37bd016e1ba2bf82479527a47e598460d479388b
SHA512 5e127b683d53057cc14200637c177ab612bb6e7d1e7e45bc401ad24a0d488cfd1614e9a62954f82531f5c90d58f2b32c7d072ef4e0e7112cf151d2b097d26668

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.phrase.dat

MD5 107912ba37911fe82eb4988cd20e36a3
SHA1 9f91e1f78ad1e5ac9b1755feb12a560a05ec8b13
SHA256 37de573fd8f348b04edaf11bfa41dc89dcdd73b87807abbad3579a202de3c28e
SHA512 242413a4f8b965a6ff01ca046c06046168a61e2df022dd0916b52e22a39e67d591ea464224b6247a23ae7e362d224185fb9cd0fb5c42e55eec1bf7ed2554e375

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\Dict\py.markov.dat

MD5 199b1e07b487dbb76705972fc87b0475
SHA1 722623c68bda6956f49cc77ea53b53adc1489a81
SHA256 49007b2ec759e15198d01d908d10ffb782f037673ba9267a459737c93583000a
SHA512 46accadbd0f089cc3caeb8678972201f3012905f101d3691e7cc695f679c2aa343b842131bb655aa92a980146720ea0678d24120c50bf51662f8365ed919202d

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini

MD5 bbe122341326acd70c1013d812813639
SHA1 2b758e1b8fbdfa578358968aed5676fb9d6a3dcd
SHA256 ab81794ed0775fc8b3bf0789df3af606f92e1be47c19963e5ec1473261e2821d
SHA512 39d74d6ffa84545eb2abcaf52da906991fed56a5603131ba659a8a0cfd77e1c664f88ca9f756c4aa6b73c1a5bdd54b06f015e9dee24c0657d8baa01938ea63ae

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini

MD5 578fb92f60250da9d6247e50a8c13e1a
SHA1 f10beb7310a8b933bb8b9450a2ae5d6dbbb1f906
SHA256 e6dd000af22df8f82e856035883dac2468d260f54ea2ebf450cec996b75d7be2
SHA512 99c46badb824a04a3598e7ab85be06e828a860b817ea1a1edc256f7d03778fe48d0e82b61cb3ad1d22431cbeeac578bc6fa9ff5b267d4e84d479e20ddf22a252

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wntool.exe

MD5 480c58af1e0cfb27d3656d2df3e0a295
SHA1 e7c09623c6b94895a3b8c856ae464f8e8549dcf3
SHA256 29efb4d04b0caeec3013e6c3b8e6331276e09dba483f2fc3795fd967a87ca7e0
SHA512 bf9287282ab73fd6cf668609466c761ae82a6e526780a9c21d9fd8fa431cabbf96c48dd79a7d40604ba8af2758fda2df7b03f17f3331064e3ed4a35e62cba702

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\_____.wnpf

MD5 ce980d401119ba58791fefd113cbf26d
SHA1 780a170e4ebb440d6528828a5ba05100f56c0681
SHA256 83b50cf01aa2548459052a8f8515784c7e2d682028919ec713b92ed19a7dd8b8
SHA512 5b67f6e94eb4a9d9b32f5c36355d17bdf91dd5d1c134153710a147bcc2ac13a2d6f3ac987ef67563c89dd23a86bffdee3d858b0d84454b6800802af262199dca

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\AllSkin\____.wnpf

MD5 a27fa6e5270a704d1bfb65a1fbcebfd8
SHA1 6bff0aed16f06b30acd005e215734caca8d11812
SHA256 d0a11eb04ab745790bafc34c5b0bd13d2798669e7c77017c95c31712543b218a
SHA512 e1bafd08db5974868d0127c81bd7db0b6d47fa42ef0fa5924a1b28ff270ec74a5710dd37587578d1da712c4b84620043a38e6ac9113cd5868a5c18dafb3404dc

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wntsf64.ime

MD5 f42a7c49162d6912717f5b6863507824
SHA1 5ab2dfaa604638c45df3ea73e6bc0e1b1cb0144f
SHA256 f6dc925d2f9dc97b770b0aa0a94b2df3e4899bab521e33ae05380767f9c83c1f
SHA512 8e1819e0593a6fe5bb9038da663132965faff06d76c6cdea8a7ac39817a13311658c3aec51429379d0d4b5cb57ce0dfa2b225c815fa201c25e88c2743af8d3d4

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wntsf32.ime

MD5 233b75d2c4b7422bd98abe02a52ff8d1
SHA1 3ebd73d00145fe84066ec72864890ef57bbccace
SHA256 ffd7c4bbe8cee220a2245505e3c75ceadc3123234a03cad7abaae9a085d59922
SHA512 8ac9c52975387f0753881c1c4f054b702432efbee638db74babb11e02e566f7f80ba7af00d069c36dd2f1323756ca4a1ad59f9f401627dc02def97cbb89f16ed

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnskininst.exe

MD5 8fb0a302bb860721c5e8c141d09a95f6
SHA1 1e44df5c843b5a6f71725cf3122897f7970f890f
SHA256 eef95a33af3b4f7b50d2ec9ea38d2f3335101bedd6fad8b3effc3dd922d8f158
SHA512 95b2e4af069098da7c5ca42080b0edffda81bbc1090bf4372fa4dfded38b1d9fbed280a355ed00cc51d67ac7f7e21828531a1026f69fe1f89614a50ad1f0c75d

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnplugin.dll

MD5 40eff807d49b454e5b784edbd6bcc01f
SHA1 06a9d1329893b7325b63ac64e0371be5120853cb
SHA256 2b6aec450e6a0af3e3783b809e9a188ffda9f3c5d3fdfdf164a27cde87919812
SHA512 6c0edcc855fb6cf9a06ab614f39cc22fa93e6cf2347ad2b0269b7a92d73b05f63e15ed7ce7e741f008fd641ad83c604611a2250503c747ef081333907abb4b58

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnmoniter.exe

MD5 96017410e59ac6443483ccd57d0fae59
SHA1 501d43b23914bc0c5ee8661ceaf3d478a01f7f27
SHA256 817f7bee95c979eeeba66db278de176ad6ddf956a1f0a9673f3c352b58fab632
SHA512 944d32e02149b8e6ee09312cd083cc99ec6050b1c023112a071fe167a8a7aab0e174874d01fc95a06f7246b0a8f01f2613ee33133c9591cfbfe52aa98d407368

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnimemanager.exe

MD5 f4d23b1771b3cd5be5cab620c24511f9
SHA1 228c6423fabce9a26f7003d467cdff3c9a5d9a6a
SHA256 8a06a757252acc8b1c00f683e1b407c42c88d6fa6b461e6cea9f0c83b84149eb
SHA512 bd6ebca5594d049ce59fbc2492f0d6ed590be6faff88b98d26253940c81b40aaf35308583eeffe0d53d06c5226a78b95eba65a59f7cf99e2aff6e7ab2ee84d42

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnimebrokerps.dll

MD5 0232413a17e471173e7d231cb322273a
SHA1 e136a6ed16e6fd2eef7ad5d22160f9006650cd32
SHA256 47eed5f74acfbea2bf8701b49578861837ac636aa6159e9869300ae3ed7dc870
SHA512 f6e821313d0e441d83729217753f445f1804567f1b5821dcbda58437e1942f589a0e503f50a5750c091bb5933771bb7e45d4fc322378d7c9ca4fa2150e0198cf

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnimebroker.exe

MD5 280f8d976b22992b36c219de94307252
SHA1 8978000f81b5ac7dd79f44777307002256379719
SHA256 98c7b8891031a197fe16e825ab21eef23ca0392be86cea81de023e6cc79c85dd
SHA512 4955e3b22ae43ad074d3d1d09401ad34789100abda67f6368959f26ef88fbdcbc0590ffaf1ffa9ac444edbfe98da428b3fcaba81cc46f2f97e7cb5cb71324736

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wndictinst.exe

MD5 da14701821d3e3f03d6a27a9e053247f
SHA1 f8744827e53d2185f49462f18f409617fc2a4ee6
SHA256 1c347163f11f810019da3fea628eb052bdc7411c631d8d5bdbf20f526fbea658
SHA512 77eeaa8448dbde58f7d91e63c902e1d2098e2ea30a0d37b322dc5800e525779efaee722f50fe8a5bf72dd1a52f78a3591d60ce45d70e68fb5fb724503e5f9d27

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnconfig.exe

MD5 f3dacf5114d0a6d337cc28b1bc8aae51
SHA1 32c8cc756717b4dda65ba30d96e52f0058d6364a
SHA256 e33c9ee1d03df84b3b340a9298738091ad5dbeb06ab6c5df5fc0132715528db6
SHA512 e1d6db26c7a94adc7689adcf602e088ed76b05bb85e24a0460ff53470fcafbaac5725e126d832927faf5068ff6ea8779deed493d563e28a93a2b6d4c5a46101e

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloudhelper.dll

MD5 5b4786b0e75ef5955b8f3fb97dae34a0
SHA1 541f13c7028879533f7aed07a957c48ba49c0127
SHA256 29a83e2487171dd42513ff28e6716e8978656c4c3d826e91a68081eb426d56ce
SHA512 177b9d475da40a6375ba4c782be670b377a005328c225cbc4990ed36dd3253108b298b5f4c160f273f5421be70a7ec2b0cce4ee50247e2621bf6bef34025256f

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wncloud.exe

MD5 f588002585b8188262ab057550980aca
SHA1 33a8a9c9c095868c5f9127f43c849906e7ec7c09
SHA256 94801f62781ec3654ebf72ed3b589c3e8c4bb222a7f0bd508f8e17923c4b4ee4
SHA512 bd78055e5eb75dc0091f55c110582b94542d783818749473111c7c85fde1b83845a72ab57761ca4539d778c781b57a617ab0853e45fdd62b86e3d9b3b293b2fc

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wnaccount32.exe

MD5 050bf1429acf8bad2ef48ba135e6d286
SHA1 72c40aebc08d13ea084bf05ec2a02beece58fafe
SHA256 4588275806e684f317028c2cc57d30028d47b69e3713a8e0d6566c818b5cc468
SHA512 1b2085645a886006baebd6bde06962d9d4818d90f727bb7852c5737e8763d26af8a5cfb5d7defc1a2460da871c2dd8b6d03786745b236dbe8d81d2152d134f35

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn64.ime

MD5 2d57bcf8a1cb08e5e34ce9d76920806e
SHA1 af09022574afbde10c836dfec06c9d19fd918fb3
SHA256 57f23bc27f1dde714edb96c867dbd7bab49bb06aaf46c6d88b412e738fb7058c
SHA512 556ae808a59ed557c72922da3194d316d6cfb03b856469ab998bae83af4eae769faadba10f0cb5c97e622adfa0d1c4e933361279d6ddc62af9bf14e7c4869c95

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wn32.ime

MD5 86199a4308a9a5eb30f3760c7e045ce5
SHA1 e9c92f98467eaa9c30627fb64929dc77cf2d448b
SHA256 4e1243534e1bd888f1cd893c6a3551b1342cc063e2f8f15608d9b52d48a80157
SHA512 727bf17cf5d2fb5010f3f713b336bbc8d1fe545eab7202553771ccc3816c364c15b198d5c1df0db0240284848ba76d35725ba74fa710e2d4323d0feab0e15957

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\wannengwbinfo.ini

MD5 7b0aac4ff9dbaa7643af98c483f02ffa
SHA1 2335d99e5c8eab1fcb3b73bd43f63f28d6e451ca
SHA256 e5619321150dc1f6982ebf13e2bf4ba9f8d45fe7ebf6cce847a010809e748474
SHA512 da329b10c5f934d79f195b6c0d1e00c65df799bf87881baae55ad6d2c945ada951c407a470c4865d98f39222c6fd22009200a06e05fb8aa29f82a5c9dd3e7045

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\ttxw.exe

MD5 f67c16319f464404c57a6cdad6dab2d8
SHA1 b3de9af64f35a8688c6c1a4890b758f25085157a
SHA256 c6474f9d2d4ab08350630841114956132d8b40747d91a943bc66a0bfd361a533
SHA512 9168aa46fb17fb9b8a6e0d28cccc2f0db8481031be09c256296fc915a69fddaf55a3693c604f147c5649746f14dd636d6cc8c024989ee5d089607a2d50d35268

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziranma.ini

MD5 7a187c3581532e9674af71d62acf73ce
SHA1 d3154847f9e5acbf00606dabf1395d7e9af75772
SHA256 efa6b34e97f3d18407bfa227e3b6e5343ec276741a018ee001b8b5169bd5e940
SHA512 b909f964cf2e3cb473908cb5a67da51502be44a73e4f8f953fdef8f8823eaa5a4bf6d6d6d5787b7e74dd4d88d3ef0ce003e5d631c12ed25891dc1096d8fbbf0c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ziguang.ini

MD5 1c138777608d0267a01c1982faa95acb
SHA1 1e8eda38388b347aa55d82b23b5f4d4501dbf7fa
SHA256 237b0d9012bc598fc432091b4f4f50a87e403487d1b2c1d15e61862960c56c27
SHA512 c3e360ab5548a0e9e74e619824f36a4f8a9f805b868b5e837a4426c1150960bbccb0367c0dd5ec961bfca3a09088863f573db465a9f8bcbec3cb99509ba6a18e

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\xiaohe.ini

MD5 00de27aa4722e80364e1540486872ad6
SHA1 00abc77afe64bd94c37266f2423b810b2aebda7a
SHA256 df27342537f95622e7fedd734ba668080ce22e63b98f933732cfa18358826eb4
SHA512 ec22da353106a3dfcc27a80e7facebe58cfb89a32e430cf9d7674497d6aeb3b8b0236da5704395652f192762a22934557335fe21a66a9b7dcff63e04b90debb5

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\pinyinjiajia.ini

MD5 fd1837ae270311d4cbb9f5abfc9fc47f
SHA1 e40692501a1d7838e169973f047644995a5176c7
SHA256 9a1084d93edc5763c75d94ed18dad9d30e534690a63d91aade6b7a8f6559e0b8
SHA512 2d8dc4abfb31ec33334dd135a776a68f9728cb361a60825deced1d15840ff6191459474dddf9b26075b6385c383d5c6dace2a228b8389074f9ed03d3b3b90114

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\ms2003.ini

MD5 b667d31de86e3e87a8f8d128af0bb8fb
SHA1 820f2bc0e647c6f2f8a0093a8d79e7740b6a6b16
SHA256 ff8e629547151ea43ec2261c3b80a4ad77911d8965cb126a542e2d597c5ef565
SHA512 5db57f61511a001d0718c64f3cc1f4af4611e4ae70c2917a3c90ec2b175e6b17b3ac5330e58f0dfe415dd9983836a41f36dc2f7c096c81fb35e97f9290fff71a

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\spschemes\abc.ini

MD5 8c19e1f441c7ce4116c1b1c87bab2ea4
SHA1 807c3aadadb40050e95c553241500bbc99a37c1c
SHA256 a05234ed4d989c44770b03505422a4313cf0c8a34162766d7e7771c75cfddcbd
SHA512 dd4b6756e3fce0cca15be2bf8cb9441866164a96e93b6c18b16c3783401934db4f39b315f1850722f8cb222fb97671d0ca9aa9feffa6fc9613b0e8abbcd5d13f

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\scrsnap.exe

MD5 695ab9a7a83ee188be36a2d6396b4aef
SHA1 028dc6feb77e2498c83204d22183ccfacb88a129
SHA256 663d1759874d27e41052ab2a3db7cc4e03bee3acb08fe49b1588169c52959a89
SHA512 2078f83d8d5a0b0c0b3f672f318c350e55adce94b1a91aa1bdd2a58dbb0001de8733516fe9f2647b79ef77db1647a230d84fd2e7d77acb00834f37237e8349ac

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\wbphrases.dat

MD5 453f5946cd5aa1fab3a621c02ba13ca0
SHA1 774d5f7f4db5841cdd7d28f186d634a53b5e15f7
SHA256 f957609e64a1bb3d1dd193812c0895f0fae413a8807af9ac8770c5e0939b59d8
SHA512 89d8d7487f522784a9e30639139c62d98983acb8a9167b81a25229267dfc7aa0a2f26b3a10c6800603e6c19d43ae409d91351d46e161cf8c31f29620e46d620c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\dict\header.dat

MD5 b2780bfc24b6eb1716cdf6f0ce56b5db
SHA1 337a1053094106cca10aa38a0fb8699c562eb03e
SHA256 7aed87f85e9da10c4fdc2eddcf28791358aefcf4adf0390b8076bf7c87b6c7b6
SHA512 5fa23a001fc02901f5b94ccee007a7bf9d8a6127471b92a979b309672297ada367525a1859efe9a854e72227c0cdc74b715fb471102cbafce4aa447a04784a0c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.idx

MD5 dc8d2a5370364b8a7914214a593178cd
SHA1 0ee4218a416bbd753fb20f482baa8bda9efffdc4
SHA256 f3ccc5d6d199bb88a4f0383b7c0079090a90ec547b1320bc13cfb26f577c9fc3
SHA512 4e90443b304ccee6104c8d132d9176fd55c383f8570cb3eab755c22067cc4fc37bb1fbfac960ab3430535278cf7e98dd6ecb8b2fe580807275d2e4523917d358

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\yy.dat

MD5 66194e6414f9142db59bd19cbfe3f891
SHA1 3cc8bb6d7fc70c54a429e156a2f829978fa00941
SHA256 c8377cd117f9279fdf983660525ae57f5241081ca078ad3b72735c79427a44a5
SHA512 d7f5b925b358037f568fcb9e78a20faa21125f0a13f6f07bf1e0599bb3e85041ef7a5520bab3cbf6d8878649a755802608d035a40652130b4e14bcc5fb1416ea

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.idx

MD5 2ae94b7c9295ce2e4703f9fa4cfa5aed
SHA1 36a7941c8c3f6db4fdd9253d8b795133220a5af2
SHA256 3f6f51e3f908d4e4865ded188c4fb5c820016aa81a1c58b0c9d57696c56553e0
SHA512 ac1518fd4a6727bbf4c0bbcee23a83bd72814ababa0038c966ea11d293f6788777d97e76e504edd1028f577286b5cfdece5fd375c67dc20c7fee0941cc30d929

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\wb.dat

MD5 e3ec7d071cf338406e2ae25ae1de837c
SHA1 d291f28dbc3c5c4073190f9d4b59e192bdd5bc00
SHA256 70aecbd98b655a83b1a1cff8b99e15989a4befcff22940a31e78f0cd6ae002b5
SHA512 1a2d07151c03797e2969f4f559df4c814684ebcab4b837ec7ab4b6e881db6f9220b4322799ec86b3c9cebee1fe447e69fdcea3ba5e560ff6b182a517de71c7a7

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\PYPhrases.dat

MD5 8ec0355207fbe37b7a42b4694867c679
SHA1 16ca274096abd242a5848d930eec3548f446f561
SHA256 ca96656b5076ad0e4ea7c2f4abb9c2c83112b5f30fb2c67a4032377da2757c8a
SHA512 f6f9e075ca04b99ce1a92c75567713360d4c21489801e2e0a911033a4b4002e67fe2371bee8b9243678affb8083f2ab801a64df8352b188b38435c583ceadac3

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\py.dict.dat

MD5 4f37c718863b2ebfae4a1dfc468d5b3e
SHA1 aea4952b9c7aa7ac82a8fac1ab146104527cd9ba
SHA256 e08399c01d272ab9002c8cfc248eeddd741dd30f2cd99f9c58b046b8d852e2f7
SHA512 b00f0545b382af35c6372070ba6c79ea3df5bf6dfc04012d2838fe6692da6cb85ca2dcbc7fc6f5541bde8ce3d1b9917de9b8dfcb3384b9b4bc463b9719596cbc

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\lx.dat

MD5 a2e1316bfb1b91f41608b3eff971f14c
SHA1 fa610407b7e00af14e524fe850b1f1da33bc0bd1
SHA256 4537e4b2f190b234bb585a4dcc7e4bef802d128fd2272f84fcfaee29011b30d0
SHA512 aedd29442c93904ac8b057eb7c37611bca7c47737e626000cb509bc761d95799d120844d1f896db777927062b1de02a3e3e9e67b84ea3de9c0a9f09c3426827d

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.idx

MD5 9345156077f965a5b9becb2f666fcd4d
SHA1 a2942102b142a255d4d752b7a0ac352f135f1e73
SHA256 e56f4ca0ee34027332842baa54269229a683a0ca38016d44a62251188ca0a7b7
SHA512 379b73ecbcc136a558b7aed7671bf1089ad6f1ac0db012bfa35e752e62e812ab54c55b4301dba285d207b6d726b1a4183027b1c99f82898ebe003ede6b49804c

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\gbk.dat

MD5 5cd6826ccc90628e18e0c748c1ddb228
SHA1 853b56b15832b3fa71adc94346b23a3ed57124f8
SHA256 49124db852ebfe68eb87159e96edb2fb65c61da3b611c8395b4443a2f33fa82f
SHA512 11615b74fccf2cf4e0586660acfba55be7a51f83a2eb3c1889a77475197de8f338f13972036ca8ebdc1867f9990edef8525b8f3b7d4eb85bc1fa2604eb0979b7

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\dz.dat

MD5 cbb821b7649b301473d6ddc1f205347c
SHA1 222bceceb822ca01ba97f8340887679b49dec14e
SHA256 2c7048a15f2c9b9ee4b222ff59e3e70c11a5c3d5a7dc1c71a6ea568c773964ee
SHA512 c1fffe2c3904c731bf825c8cec84189c1eb5d2aa3c2b541dde0a2ac61c7d16055f22374cbe608015f71343b2e437b2366105fff26f0571bccf8135c02b2aef42

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.idx

MD5 5960cc64e17b3e24c2eab1b437acfbf1
SHA1 873d156d75beccb63e8f28fa113746cdd5e580d5
SHA256 7c2259f62ad84ea005cc1af6d6cfaa18808e1c8bc31a4e01727f63eb63d76f39
SHA512 bbc0a748ddbd457d1c36d7e170b1c75370d0060a35f0f9697f14d43fe8ebd73320984cbc4b73c9b0a6b4a7d8ad51f1bdc71b5e223d859f6e46249f660b6b7cf3

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\BackMB\bh.dat

MD5 daff0d8a8977274af7c8408d1573642e
SHA1 d9bc49151004c7be355f40d9f62d23944dfa5166
SHA256 38a35820e2bfcd02e3da4a3e05b8c9bfff50b5d3e26ff7115dc0cfdbd0cb1b10
SHA512 2a9a209a35c794a94c07a3a030a14d0595f7fb6a107c864f712c58746485684b80da29efa9e07cc68b9cb4fa33e28972be0120360e39930e190c448946a4a25d

C:\Program Files (x86)\WanNengWBInput\__.txt

MD5 1521294de4b25e37c39cc0756c90b9a3
SHA1 1f7e6f4430d20ac7e12df089c46c6718c78aa1fc
SHA256 80eabe7b9d206602187e07cce75191757787a1582045f289d3ed0e054a7de47e
SHA512 066d6ac39f02d7793003d5a7b6fd3340e4c594638c08a6da3b05f9680df63df82415f57afae9eba920431c6bf673d046d88648b5dfdbfedd55b8352b8dd859c8

C:\Program Files (x86)\WanNengWBInput\9.7.0.0426\WnAccount64.exe

MD5 b0594248b7d76aa6c865d26ed0bd0c11
SHA1 7ac533564ae5e27e37738d454d27b05e6f25e241
SHA256 7c1ff9ce73430ebaac99835316cbcd466ec68bced186a735336937bb67024ed1
SHA512 494d61954eb197c3e3603605ffd67b0e912716975e92a5e1c4a5362ab06d471da22bc192be4a0a233982759c81bf792dba6387dbab85d39a766807b99b71530b

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini

MD5 fa8cb01651751dcf9c550cce47799615
SHA1 65d433e5efb35e2fd35b9749f9ab70707295a8c9
SHA256 0d46c28e1b76acada13683aeb9349ad40dfa798787cf2b0562983303bc4ed74d
SHA512 c14ffcb4ea3d2c3c1da9129223b2686417f4aa435d3e96745e1f2062cbb5bc4953754417f4db2c5cf480bc84153bb2493f268928297ede095b1f6314343c989c

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Related.ini

MD5 10b382595fda635418d30880be8fbe2b
SHA1 8af1cf248e9aadfc5e69941810d08fb7800c6053
SHA256 08d48d152750069ce636eee0e5f8ec84bacb5606f1f42df67545800ff4d62332
SHA512 ee9f8a220ba18f95ec1b26bb3d34ee797910c8c6c56222c4c7bf27b28633ae406fb39be415f2807d5de670c0b5ec6fd635f477a48d58c3a1f2f08d23d5e78258

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\Config.ini

MD5 2da784ee50e7e8f867e15b6f4a4ec136
SHA1 058c25deaecf5a7769e9117c8c7ba02d64af637c
SHA256 780596e1bb7ec55695f9aa585df6d94b89f002c11cd6e0cb5c8b260d95853e36
SHA512 afd4a42f1c5f62c75c4b4abf7b70620bb66c2feacd2760c0cdf7bec2312772d1e97aa83f8c2e46de7432916c1ef2bc84f2ff19322b486db05ae617cb8d63c988

memory/1548-5434-0x0000000001060000-0x00000000010FB000-memory.dmp

memory/2020-5449-0x00000000032C0000-0x000000000335B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 39f773c06f5252edbd73acb5291e7a98
SHA1 03ba4a906a79c212871142886b09aa0f2f0c18c1
SHA256 49d896f60fc169cf775b3187979480e9abe3fa91333abb05d88f6baa0cc35d7e
SHA512 073b10e47efaca4fe0b1b9bb5c87ae1309a6f8ddde61bcd2d098e8f133a5bd4336e5a0eabaea2f2eceef0b7d9b59eb53ab0efcf7a0abc6d5b4e119f2a437a080

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 000256a5f500f217f6244738ac2b8567
SHA1 0c919bf7ab724958a5a37df6f0406d404646cdca
SHA256 4093091bb7272ea204f4cbe2f5e8c29360d6ac98aa48a3191557fefac25a772a
SHA512 a7323cfe7d8ac526aaa15a9f8d31ec8b775fb4febfd4ca9f3676e534600044a36573a036a679e476d390bf80fc535568f571699192b20f544e1853940044679d

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 e71f85ade74f7ddc1a4072981728e6e7
SHA1 c6998a865178b91d094dcf6d4b24ad6e6c971d03
SHA256 ce3580719cad2f89a2aae4f07c6118808193d479b050e784412cea3059b2cf22
SHA512 da7b7b7b48b74020eec387fd6cb17db35b48c1176b262e7938ef8f965452ff6c559dc6bfd538803dbf32876a7819a8cbf94d93d93d4bc487f36ad7deccf8d311

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 e691d767fe4a990d322b37e02a0323ef
SHA1 c353ea3203b0d44332a1235c260dea13a38b5021
SHA256 cb7f31a0b9f55b6e8a654738e1c85d88a7e0beccfa62a113d52aee1dd6d552d6
SHA512 1f944d8034b23c727c72b7775b4da80a3f64773687868bf02983844f5f5e83b34c48fbbb5f89cc760a86e532408d74ad9aa04d67556926db0e10c7ac1b750aeb

memory/1384-5511-0x0000000003BA0000-0x0000000003C3B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 e318e41d490045e623ecfc986ddf9a56
SHA1 c06d162589ed964b5739adb2cc4e55a8a323ffef
SHA256 b68ad34724083bdb7ad905035e314390f93424b798ba2edd4933280a0def8403
SHA512 699f594c6e26a91e1bba3767a0dda4f500ac813609777503130d95dfaa617b173a87709fe0adc10bac15dff801896df53579ac43efd6d329f332c32dae639493

C:\Users\Admin\AppData\LocalLow\WanNengWBIME\Config\UseVestige.ini

MD5 687ddc9021b85d1bafd73d2047c8aaed
SHA1 f472a13979892e6701723da0cbb4649d5bed0c2e
SHA256 20a49a3c2403d3da33477739a8249446b358f5213f9f9a8bcee56b414aefb255
SHA512 7a800b8050c8047bf0a2ad705f69ded54944c61cefcc189e24525b2888b492100b2186a934eec4638a26420c7f8e3b390137329ad435e2e43f96119e517448b3