Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WYGM.exe' = '"%ProgramFiles(x86)%\Wanyx\WYGM.exe" -background'
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\tool\WYRTLFix.exe" name="ÍæÓÎÏ·ºÐÔËÐпâ¼ì²â³ÌÐò" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\tool\WYPluginFix.exe" name="ÍæÓÎÏ·ºÐÏÂÔГ¹ÊÕϼì²â³ÌÐò" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYDLPlatform.exe" name="ÍæÓÎÏ·ºÐÏÂÔГƽ̨" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYGM.exe" name="ÍæÓÎÏ·ºÐ¹ÜÀГÆ÷" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYFlash.exe" name="ÍæÓÎÏ·ºÐflashÓÎÏ·³ÌÐò" mode=ENABLE scope=ALL
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Modifies file system
Creates the following files
- %TEMP%\nsh7704.tmp
- %TEMP%\gmicon\68947.gmp
- %TEMP%\gmicon\68948.gmp
- %TEMP%\gmicon\68950.gmp
- %TEMP%\gmicon\68951.gmp
- %TEMP%\gmicon\68953.gmp
- %TEMP%\gmicon\68954.gmp
- %TEMP%\gmicon\68956.gmp
- %TEMP%\gmicon\68945.gmp
- %TEMP%\gmicon\68946.gmp
- %TEMP%\gmicon\68958.gmp
- %TEMP%\gmicon\68961.gmp
- %TEMP%\gmicon\68962.gmp
- %TEMP%\gmicon\68963.gmp
- %TEMP%\gm~b14c.tmp
- %TEMP%\gmicon\20082.gmp
- %TEMP%\gm~b41b.tmp
- %TEMP%\gmicon\20323.gmp
- %TEMP%\gmicon\68959.gmp
- %TEMP%\gmicon\68960.gmp
- %TEMP%\gmicon\68941.gmp
- %TEMP%\gmicon\68939.gmp
- %TEMP%\gmicon\68937.gmp
- %TEMP%\gm~a0f5.tmp
- %TEMP%\gmicon\68901.gmp
- %TEMP%\gmicon\68902.gmp
- %TEMP%\gmicon\68903.gmp
- %TEMP%\gmicon\68905.gmp
- %TEMP%\gmicon\68906.gmp
- %TEMP%\gmicon\68907.gmp
- %TEMP%\gmicon\68910.gmp
- %TEMP%\gm~a106.tmp
- %TEMP%\gmicon\68916.gmp
- %TEMP%\gmicon\68922.gmp
- %TEMP%\gmicon\68924.gmp
- %TEMP%\gmicon\68925.gmp
- %TEMP%\gmicon\68926.gmp
- %TEMP%\gmicon\68927.gmp
- %TEMP%\gmicon\68930.gmp
- %TEMP%\gmicon\68932.gmp
- %TEMP%\gmicon\68933.gmp
- %TEMP%\gmicon\68919.gmp
- %TEMP%\gmicon\20399.gmp
- %TEMP%\gm~b6da.tmp
- %TEMP%\gmicon\16857.gmp
- %TEMP%\gmicon\16858.gmp
- %TEMP%\gmicon\16882.gmp
- %TEMP%\gmicon\16883.gmp
- %TEMP%\gmicon\16884.gmp
- %TEMP%\gmicon\16885.gmp
- %TEMP%\gmicon\16886.gmp
- %TEMP%\gmicon\16887.gmp
- %TEMP%\gmicon\16888.gmp
- %TEMP%\gmicon\16889.gmp
- %TEMP%\gmicon\16890.gmp
- %TEMP%\gmicon\16891.gmp
- %TEMP%\gmicon\16892.gmp
- %TEMP%\gmicon\16893.gmp
- %TEMP%\gmicon\16894.gmp
- %TEMP%\gmicon\16895.gmp
- %TEMP%\gmicon\16896.gmp
- %TEMP%\gmicon\16897.gmp
- %TEMP%\gmicon\16898.gmp
- %TEMP%\gmicon\16899.gmp
- %TEMP%\gmicon\16900.gmp
- %TEMP%\gmicon\16881.gmp
- %TEMP%\gmicon\16879.gmp
- %TEMP%\gmicon\16880.gmp
- %TEMP%\gmicon\16878.gmp
- %TEMP%\gmicon\16859.gmp
- %TEMP%\gmicon\16860.gmp
- %TEMP%\gmicon\16861.gmp
- %TEMP%\gmicon\16862.gmp
- %TEMP%\gmicon\16863.gmp
- %TEMP%\gmicon\16864.gmp
- %TEMP%\gmicon\16865.gmp
- %TEMP%\gmicon\16866.gmp
- %TEMP%\gmicon\16867.gmp
- %TEMP%\gmicon\16868.gmp
- %TEMP%\gmicon\16869.gmp
- %TEMP%\gmicon\16870.gmp
- %TEMP%\gmicon\16871.gmp
- %TEMP%\gmicon\16872.gmp
- %TEMP%\gmicon\16873.gmp
- %TEMP%\gmicon\16874.gmp
- %TEMP%\gmicon\16875.gmp
- %TEMP%\gmicon\16876.gmp
- %TEMP%\gmicon\16877.gmp
- %TEMP%\gm~c5c9.tmp
- %TEMP%\gm~9cd0.tmp
- %APPDATA%\wanyx\tipad.gmx
- %APPDATA%\wanyx\slider\slider_201608_20160817130948555.gif
- %ProgramFiles(x86)%\wanyx\tool\wymini.exe
- %ProgramFiles(x86)%\wanyx\tool\wyrtlfix.exe
- %ProgramFiles(x86)%\wanyx\tool\wypluginfix.exe
- %ProgramFiles(x86)%\wanyx\tool\microsoft.vc80.crt.manifest
- %ProgramFiles(x86)%\wanyx\tool\msvcp80.dll
- %ProgramFiles(x86)%\wanyx\tool\msvcr80.dll
- %APPDATA%\wanyx\data\database.gmx
- %ProgramFiles(x86)%\wanyx\tool\wyextp.exe
- %ProgramFiles(x86)%\wanyx\tool\wyup.exe
- %APPDATA%\wanyx\data\plugin\hot.gmx
- %APPDATA%\wanyx\data\plugin\netwl.gmx
- %APPDATA%\wanyx\data\plugin\inwl.gmx
- %APPDATA%\wanyx\data\plugin\pc.gmx
- %ProgramFiles(x86)%\wanyx\audio\complete.wav
- %TEMP%\gm~b653.tmp
- %APPDATA%\wanyx\update.ini
- %TEMP%\gm~bbb1.tmp
- %APPDATA%\wanyx\data\plugin\top.gmx
- %APPDATA%\wanyx\data\plugin\scan.gmx
- %ProgramFiles(x86)%\wanyx\tool\wydlutils.dll
- %ProgramFiles(x86)%\wanyx\tool\wyuirender.dll
- %ProgramFiles(x86)%\wanyx\tool\wycommon.dll
- %TEMP%\nsw7714.tmp\wynsisminiextend.dll
- %ProgramFiles(x86)%\wanyx\wygm.exe
- %ProgramFiles(x86)%\wanyx\wyflash.exe
- %ProgramFiles(x86)%\wanyx\wybrowser.exe
- %ProgramFiles(x86)%\wanyx\wyweb.exe
- %ProgramFiles(x86)%\wanyx\wyupdate.exe
- %ProgramFiles(x86)%\wanyx\wyversion.dll
- %ProgramFiles(x86)%\wanyx\wybugreport.exe
- %TEMP%\nsw7714.tmp\system.dll
- %ProgramFiles(x86)%\wanyx\wyurlencrypt.dll
- %ProgramFiles(x86)%\wanyx\wydlutils.dll
- %ProgramFiles(x86)%\wanyx\wydlplatform.exe
- %ProgramFiles(x86)%\wanyx\wyuirender.dll
- %ProgramFiles(x86)%\wanyx\microsoft.vc80.crt.manifest
- %ProgramFiles(x86)%\wanyx\msvcp80.dll
- %ProgramFiles(x86)%\wanyx\msvcr80.dll
- %ProgramFiles(x86)%\wanyx\uninstall.exe
- %ProgramFiles(x86)%\wanyx\tool\wybubble.exe
- %ProgramFiles(x86)%\wanyx\wycommon.dll
- %TEMP%\gm~c237.tmp
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\玩游戏盒.lnk
- %APPDATA%\microsoft\internet explorer\quick launch\Гæóîï·ºð.lnk
- %HOMEPATH%\desktop\Гæóîï·ºð.lnk
- %APPDATA%\wanyx\slider\slider_202012_20201211141922116.jpg
- %APPDATA%\wanyx\slider\slider_202012_20201211141928301.jpg
- %APPDATA%\wanyx\slider\slider_202007_20200723164836906.jpg
- %APPDATA%\wanyx\slider\slider_202007_20200723164842618.jpg
- %APPDATA%\wanyx\slider\slider_201605_20160523162136750.gif
- %APPDATA%\wanyx\slider\slider_202012_20201211142142243.jpg
- %APPDATA%\wanyx\slider\slider_202012_20201211142115609.jpg
- %APPDATA%\wanyx\slider\slider_202011_20201113154158760.jpg
- %TEMP%\wanyxtemp\wyupdate.exe
- %TEMP%\wanyxtemp\wyurlencrypt.dll
- %TEMP%\wanyxtemp\msvcr80.dll
- %TEMP%\wanyxtemp\msvcp80.dll
- %TEMP%\wanyxtemp\microsoft.vc80.crt.manifest
- %TEMP%\wanyxtemp\wycommon.dll
- %TEMP%\wanyxtemp\wyuirender.dll
- %TEMP%\wanyxtemp\download\kuai8_c100001_s1.exe
- %APPDATA%\wanyx\slider\slider_201609_20160912133331969.gif
- %TEMP%\wanyxtemp\download.gmt
- %TEMP%\wanyxtemp\startup.gmt
- %APPDATA%\wanyx\slider\slider_202011_20201123163555858.png
- %APPDATA%\wanyx\slider\slider_202012_20201211142012370.jpg
- %APPDATA%\wanyx\slider\slider_202011_20201123163552534.png
- %TEMP%\gm~35f8.tmp
- %HOMEPATH%\desktop\Гæóîï·ò³óî´óìü.lnk
- %APPDATA%\microsoft\windows\start menu\programs\Гæóîï·ºð\Гæóîï·ºð.lnk
- %APPDATA%\microsoft\windows\start menu\programs\Гæóîï·ºð\Гæóîï·flash²¥·åæ÷.lnk
- %APPDATA%\microsoft\windows\start menu\programs\Гæóîï·ºð\Гæóîï·ò³óî´óìü.lnk
- %APPDATA%\microsoft\windows\start menu\programs\Гæóîï·ºð\ð¶ôøГæóîï·ºð.lnk
- %TEMP%\wanyxtemp\restart.gmt
- %APPDATA%\wanyx\data\local\recent.xml
- %APPDATA%\wanyx\data\local\user.xml
- %APPDATA%\wanyx\data\search.gms-journal
- %APPDATA%\wanyx\data\search.gms
- %APPDATA%\wanyx\config\config.xml
- %APPDATA%\wanyx\cache.xml
- %APPDATA%\wanyx\slider\slider_202101_20210106150002469.jpg
- %TEMP%\gm~2246.tmp
- %APPDATA%\wanyx\slider\slider_202101_20210106150009317.jpg
- %APPDATA%\wanyx\slider\slider_201911_20191101162633286.jpg
- %TEMP%\gm$d.879.3003\kuai8_c100001_s1.exe
- %APPDATA%\wanyx\slider\slider_201911_20191101162639705.jpg
- %APPDATA%\wanyx\slider\slider_202012_20201211142006700.jpg
- %TEMP%\wanyxtemp\upgrade.gmt
- %TEMP%\gmicon\40008.gmp
Deletes the following files
- %APPDATA%\wanyx\data\plugin\hot.gmx
- %APPDATA%\wanyx\data\plugin\top.gmx
- %TEMP%\nsw7714.tmp\system.dll
- %TEMP%\nsw7714.tmp\wynsisminiextend.dll
- %APPDATA%\wanyx\data\search.gms-journal
- %APPDATA%\wanyx\data\plugin\scan.gmx
- %TEMP%\gm$d.879.3003\kuai8_c100001_s1.exe
- %TEMP%\gm~a0f5.tmp
- %TEMP%\gm~b14c.tmp
- %TEMP%\gm~b41b.tmp
- %TEMP%\gm~b6da.tmp
- %TEMP%\gm~c5c9.tmp
Moves the following files
- from %TEMP%\gm~c237.tmp to %APPDATA%\wanyx\data\database.gmx
- from %TEMP%\gmicon\16877.gmp to %APPDATA%\wanyx\pic\16877.gmp
- from %TEMP%\gmicon\16876.gmp to %APPDATA%\wanyx\pic\16876.gmp
- from %TEMP%\gmicon\16875.gmp to %APPDATA%\wanyx\pic\16875.gmp
- from %TEMP%\gmicon\16874.gmp to %APPDATA%\wanyx\pic\16874.gmp
- from %TEMP%\gmicon\16873.gmp to %APPDATA%\wanyx\pic\16873.gmp
- from %TEMP%\gmicon\16872.gmp to %APPDATA%\wanyx\pic\16872.gmp
- from %TEMP%\gmicon\16871.gmp to %APPDATA%\wanyx\pic\16871.gmp
- from %TEMP%\gmicon\16870.gmp to %APPDATA%\wanyx\pic\16870.gmp
- from %TEMP%\gmicon\16878.gmp to %APPDATA%\wanyx\pic\16878.gmp
- from %TEMP%\gmicon\16869.gmp to %APPDATA%\wanyx\pic\16869.gmp
- from %TEMP%\gmicon\16867.gmp to %APPDATA%\wanyx\pic\16867.gmp
- from %TEMP%\gmicon\16866.gmp to %APPDATA%\wanyx\pic\16866.gmp
- from %TEMP%\gmicon\16865.gmp to %APPDATA%\wanyx\pic\16865.gmp
- from %TEMP%\gmicon\16864.gmp to %APPDATA%\wanyx\pic\16864.gmp
- from %TEMP%\gmicon\16863.gmp to %APPDATA%\wanyx\pic\16863.gmp
- from %TEMP%\gmicon\16862.gmp to %APPDATA%\wanyx\pic\16862.gmp
- from %TEMP%\gmicon\16861.gmp to %APPDATA%\wanyx\pic\16861.gmp
- from %TEMP%\gmicon\16860.gmp to %APPDATA%\wanyx\pic\16860.gmp
- from %TEMP%\gmicon\16868.gmp to %APPDATA%\wanyx\pic\16868.gmp
- from %TEMP%\gmicon\16890.gmp to %APPDATA%\wanyx\pic\16890.gmp
- from %TEMP%\gmicon\16900.gmp to %APPDATA%\wanyx\pic\16900.gmp
- from %TEMP%\gmicon\16881.gmp to %APPDATA%\wanyx\pic\16881.gmp
- from %TEMP%\gmicon\16899.gmp to %APPDATA%\wanyx\pic\16899.gmp
- from %TEMP%\gmicon\16898.gmp to %APPDATA%\wanyx\pic\16898.gmp
- from %TEMP%\gmicon\16897.gmp to %APPDATA%\wanyx\pic\16897.gmp
- from %TEMP%\gmicon\16896.gmp to %APPDATA%\wanyx\pic\16896.gmp
- from %TEMP%\gmicon\16895.gmp to %APPDATA%\wanyx\pic\16895.gmp
- from %TEMP%\gmicon\16894.gmp to %APPDATA%\wanyx\pic\16894.gmp
- from %TEMP%\gmicon\16893.gmp to %APPDATA%\wanyx\pic\16893.gmp
- from %TEMP%\gmicon\16892.gmp to %APPDATA%\wanyx\pic\16892.gmp
- from %TEMP%\gmicon\16859.gmp to %APPDATA%\wanyx\pic\16859.gmp
- from %TEMP%\gmicon\16891.gmp to %APPDATA%\wanyx\pic\16891.gmp
- from %TEMP%\gmicon\16889.gmp to %APPDATA%\wanyx\pic\16889.gmp
- from %TEMP%\gmicon\16888.gmp to %APPDATA%\wanyx\pic\16888.gmp
- from %TEMP%\gmicon\16887.gmp to %APPDATA%\wanyx\pic\16887.gmp
- from %TEMP%\gmicon\16886.gmp to %APPDATA%\wanyx\pic\16886.gmp
- from %TEMP%\gmicon\16885.gmp to %APPDATA%\wanyx\pic\16885.gmp
- from %TEMP%\gmicon\16884.gmp to %APPDATA%\wanyx\pic\16884.gmp
- from %TEMP%\gmicon\16883.gmp to %APPDATA%\wanyx\pic\16883.gmp
- from %TEMP%\gmicon\16882.gmp to %APPDATA%\wanyx\pic\16882.gmp
- from %TEMP%\gmicon\16879.gmp to %APPDATA%\wanyx\pic\16879.gmp
- from %TEMP%\gmicon\16880.gmp to %APPDATA%\wanyx\pic\16880.gmp
- from %TEMP%\gmicon\16858.gmp to %APPDATA%\wanyx\pic\16858.gmp
- from %TEMP%\gmicon\68937.gmp to %APPDATA%\wanyx\pic\68937.gmp
- from %TEMP%\gmicon\68930.gmp to %APPDATA%\wanyx\pic\68930.gmp
- from %TEMP%\gmicon\68927.gmp to %APPDATA%\wanyx\pic\68927.gmp
- from %TEMP%\gmicon\68926.gmp to %APPDATA%\wanyx\pic\68926.gmp
- from %TEMP%\gmicon\68925.gmp to %APPDATA%\wanyx\pic\68925.gmp
- from %TEMP%\gmicon\68924.gmp to %APPDATA%\wanyx\pic\68924.gmp
- from %TEMP%\gmicon\68922.gmp to %APPDATA%\wanyx\pic\68922.gmp
- from %TEMP%\gmicon\68919.gmp to %APPDATA%\wanyx\pic\68919.gmp
- from %TEMP%\gmicon\68916.gmp to %APPDATA%\wanyx\pic\68916.gmp
- from %TEMP%\gmicon\68932.gmp to %APPDATA%\wanyx\pic\68932.gmp
- from %TEMP%\gmicon\68910.gmp to %APPDATA%\wanyx\pic\68910.gmp
- from %TEMP%\gmicon\68906.gmp to %APPDATA%\wanyx\pic\68906.gmp
- from %TEMP%\gmicon\68905.gmp to %APPDATA%\wanyx\pic\68905.gmp
- from %TEMP%\gmicon\68903.gmp to %APPDATA%\wanyx\pic\68903.gmp
- from %TEMP%\gmicon\68902.gmp to %APPDATA%\wanyx\pic\68902.gmp
- from %TEMP%\gmicon\68901.gmp to %APPDATA%\wanyx\pic\68901.gmp
- from %TEMP%\gm~a106.tmp to %APPDATA%\wanyx\data\plugin\search.gmx
- from %TEMP%\gm~9cd0.tmp to %APPDATA%\wanyx\data\plugin\quickad.gmx
- from %TEMP%\gm~35f8.tmp to %APPDATA%\wanyx\data\plugin\icon.gmx
- from %TEMP%\gmicon\68907.gmp to %APPDATA%\wanyx\pic\68907.gmp
- from %TEMP%\gmicon\68954.gmp to %APPDATA%\wanyx\pic\68954.gmp
- from %TEMP%\gmicon\20399.gmp to %APPDATA%\wanyx\pic\20399.gmp
- from %TEMP%\gmicon\68939.gmp to %APPDATA%\wanyx\pic\68939.gmp
- from %TEMP%\gmicon\20323.gmp to %APPDATA%\wanyx\pic\20323.gmp
- from %TEMP%\gmicon\20082.gmp to %APPDATA%\wanyx\pic\20082.gmp
- from %TEMP%\gmicon\68963.gmp to %APPDATA%\wanyx\pic\68963.gmp
- from %TEMP%\gmicon\68962.gmp to %APPDATA%\wanyx\pic\68962.gmp
- from %TEMP%\gmicon\68961.gmp to %APPDATA%\wanyx\pic\68961.gmp
- from %TEMP%\gmicon\68960.gmp to %APPDATA%\wanyx\pic\68960.gmp
- from %TEMP%\gmicon\68959.gmp to %APPDATA%\wanyx\pic\68959.gmp
- from %TEMP%\gmicon\68958.gmp to %APPDATA%\wanyx\pic\68958.gmp
- from %TEMP%\gmicon\16857.gmp to %APPDATA%\wanyx\pic\16857.gmp
- from %TEMP%\gmicon\68956.gmp to %APPDATA%\wanyx\pic\68956.gmp
- from %TEMP%\gmicon\68953.gmp to %APPDATA%\wanyx\pic\68953.gmp
- from %TEMP%\gmicon\68951.gmp to %APPDATA%\wanyx\pic\68951.gmp
- from %TEMP%\gmicon\68950.gmp to %APPDATA%\wanyx\pic\68950.gmp
- from %TEMP%\gmicon\68948.gmp to %APPDATA%\wanyx\pic\68948.gmp
- from %TEMP%\gmicon\68947.gmp to %APPDATA%\wanyx\pic\68947.gmp
- from %TEMP%\gmicon\68946.gmp to %APPDATA%\wanyx\pic\68946.gmp
- from %TEMP%\gmicon\68945.gmp to %APPDATA%\wanyx\pic\68945.gmp
- from %TEMP%\gmicon\68941.gmp to %APPDATA%\wanyx\pic\68941.gmp
- from %TEMP%\gmicon\68933.gmp to %APPDATA%\wanyx\pic\68933.gmp
- from %TEMP%\gmicon\40008.gmp to %APPDATA%\wanyx\pic\40008.gmp
Substitutes the following files
- %APPDATA%\wanyx\data\plugin\hot.gmx
- %APPDATA%\wanyx\data\plugin\top.gmx
- %APPDATA%\wanyx\data\search.gms-journal
- %APPDATA%\wanyx\data\plugin\scan.gmx
Network activity
Connects to
- 'up####.wanyxbox.com':80
- 'gm#.##nyxbox.com':80
- 'st##.#anyxbox.com':80
- 'se#####.wanyxbox.com':80
- 'ic##.#anyxbox.com':80
- 'd1.###i8game.com':80
- 'up#.#uai8.com':80
TCP
HTTP GET requests
- http://up####.wanyxbox.com/update_hot.php?da########################################################################################
- http://ic##.#anyxbox.com/game_icon/gmp_64/20190.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20204.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70837.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20218.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20298.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70838.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20299.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20315.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70835.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70854.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20359.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70859.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20360.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20374.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70860.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20391.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20397.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70876.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20189.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70836.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20127.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20053.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/60398.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/17604.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70815.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/17621.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/17647.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70819.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20002.gmp
- http://ic##.#anyxbox.com/slider/202012/20201211142115609.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/20399.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/17270.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20317.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20005.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20016.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20039.gmp
- http://ic##.#anyxbox.com/slider/201609/20160912133331969.gif
- http://ic##.#anyxbox.com/game_icon/gmp_64/20046.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70834.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/20052.gmp
- http://ic##.#anyxbox.com/slider/201608/20160817130948555.gif
- http://ic##.#anyxbox.com/slider/202011/20201113154158760.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/20009.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70830.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/00148.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70877.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68960.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71043.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68961.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68962.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71045.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68963.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/51768.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71050.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/52039.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68958.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/17244.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71020.gmp
- http://gm#.##nyxbox.com/quick_launch_advert/quick_launch_advert_7_9.gmx
- http://up####.wanyxbox.com/update_icon.php?da##########################################################################################
- http://gm#.##nyxbox.com/search/search_1_0.gmx
- http://up#.#uai8.com/gmp_64/2016.03.16/68901-69000.gmz
- http://up####.wanyxbox.com/update_tps.php?da#####################################################################################################################################################...
- http://up#.#uai8.com/gmp_64/2016.12.09/20001-20100.gmz
- http://up#.#uai8.com/gmp_64/2016.12.09/20301-20400.gmz
- http://up#.#uai8.com/gmp_64/2016.12.09/16801-16900.gmz
- http://ic##.#anyxbox.com/game_icon/gmp_64/55842.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/52845.gmp
- http://ic##.#anyxbox.com/slider/202012/20201211142142243.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/68937.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68786.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70882.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68559.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68668.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70896.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68676.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68761.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70909.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68767.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68956.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/67762.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68111.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68897.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70979.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68898.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68902.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71008.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68905.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68906.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71016.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70921.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68781.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16967.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16955.gmp
- http://ic##.#anyxbox.com/slider/201605/20160523162136750.gif
- http://ic##.#anyxbox.com/game_icon/gmp_64/71080.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71081.gmp
- http://ic##.#anyxbox.com/slider/202101/20210106150009317.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/71083.gmp
- http://ic##.#anyxbox.com/slider/201911/20191101162633286.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/71084.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71085.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71077.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71021.gmp
- http://up####.wanyxbox.com/update/?da############################################################################################################################################################...
- http://ic##.#anyxbox.com/game_icon/gmp_64/71086.gmp
- http://d1.###i8game.com/tg/100001/kuai8_c100001_s1.exe
- http://ic##.#anyxbox.com/game_icon/gmp_64/71094.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/14219.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16373.gmp
- http://ic##.#anyxbox.com/slider/201911/20191101162639705.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/16388.gmp
- http://ic##.#anyxbox.com/slider/202012/20201211142006700.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/71087.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71092.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71093.gmp
- http://up#.#uai8.com/gmp_64/2016.09.14/40001-40100.gmz
- http://up####.wanyxbox.com/update_icon.php?da############################################################################
- http://gm#.##nyxbox.com/scan/scan_1_3.gmx
- http://up####.wanyxbox.com/update_top.php?da########################################################################################
- http://gm#.##nyxbox.com/top/top_16_5.gmx
- http://up####.wanyxbox.com/update_database.php?da########################################################################################
- http://gm#.##nyxbox.com/database_new/database_34_2.gmx
- http://st##.#anyxbox.com/stat.php?da####################################################################
- http://st##.#anyxbox.com/stat.php?da#############################################################################################################################################################...
- http://up####.wanyxbox.com/bubble_action.php?da##################################################################################################################################################...
- http://up####.wanyxbox.com/fake_iu.php?da########################################################################################################################################################...
- http://ic##.#anyxbox.com/game_icon/gmp_64/71074.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71075.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70943.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71055.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71056.gmp
- http://up####.wanyxbox.com/update_plugin.php?da##################################################################################################################################################...
- http://ic##.#anyxbox.com/game_icon/gmp_64/71058.gmp
- http://ic##.#anyxbox.com/slider/202101/20210106150002469.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/71059.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71073.gmp
- http://st##.#anyxbox.com/online_stat.php?da######################################################################################################################################################...
- http://gm#.##nyxbox.com/hot_20/hot_20_29_8.gmx
- http://ic##.#anyxbox.com/game_icon/gmp_64/71054.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/68959.gmp
- http://gm#.##nyxbox.com/upicons/upicons_3_8.gmx
- http://ic##.#anyxbox.com/game_icon/gmp_64/00056.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16720.gmp
- http://ic##.#anyxbox.com/slider/202012/20201211141928301.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/70806.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16748.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16757.gmp
- http://ic##.#anyxbox.com/slider/202007/20200723164836906.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/16766.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16770.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/00011.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16714.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70803.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16855.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16856.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70812.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16868.gmp
- http://ic##.#anyxbox.com/slider/202007/20200723164842618.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/16891.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70813.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16897.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16842.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70811.gmp
- http://up####.wanyxbox.com/update_icon.php?da##########################################################################
- http://ic##.#anyxbox.com/game_icon/gmp_64/16852.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/71079.gmp
- http://ic##.#anyxbox.com/slider/202012/20201211142012370.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/00126.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70710.gmp
- http://ic##.#anyxbox.com/slider/202011/20201123163552534.png
- http://ic##.#anyxbox.com/game_icon/gmp_64/00130.gmp
- http://up####.wanyxbox.com/update_icon.php?da##############################################################################
- http://ic##.#anyxbox.com/game_icon/gmp_64/70716.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/00141.gmp
- http://ic##.#anyxbox.com/slider/202011/20201123163555858.png
- http://ic##.#anyxbox.com/slider/202012/20201211141922116.jpg
- http://ic##.#anyxbox.com/game_icon/gmp_64/16700.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/00151.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16423.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70739.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/00005.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70744.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/03838.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70792.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/16541.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70721.gmp
- http://ic##.#anyxbox.com/game_icon/gmp_64/70735.gmp
- http://se#####.wanyxbox.com/time.php?da########
HTTP POST requests
- http://up####.wanyxbox.com/update_icon.php?da########################################################################
- http://st##.#anyxbox.com/stat/do_stat.php?da############################################################################################################
UDP
- DNS ASK up####.wanyxbox.com
- DNS ASK gm#.##nyxbox.com
- DNS ASK st##.#anyxbox.com
- DNS ASK se#####.wanyxbox.com
- DNS ASK ic##.#anyxbox.com
- DNS ASK d1.###i8game.com
- DNS ASK up#.#uai8.com
Miscellaneous
Searches for the following windows
- ClassName: 'GMBubbleWnd' WindowName: ''
- ClassName: 'WanyxGMWnd' WindowName: 'ÍæÓÎÏ·ºÐ'
- ClassName: '' WindowName: 'ÍæÓÎÏ·FlashÓÎÏ·'
- ClassName: '' WindowName: 'ÍæÓÎÏ·ºÐä¯ÀÀÆ÷'
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: 'FolderView'
- ClassName: '' WindowName: '玩游戏Flash游戏'
- ClassName: '' WindowName: '玩游戏盒浏览器'
- ClassName: '' WindowName: '玩游戏升级提示'
- ClassName: '' WindowName: '玩游戏版本更新'
Creates and executes the following
- '%ProgramFiles(x86)%\wanyx\wygm.exe' -update_data
- '%ProgramFiles(x86)%\wanyx\wyupdate.exe' -install
- '%ProgramFiles(x86)%\wanyx\wygm.exe' -startup -atonce
- '%ProgramFiles(x86)%\wanyx\tool\wybubble.exe' -query_action
- '%ProgramFiles(x86)%\wanyx\wyupdate.exe' -update -delay=3 -type=1
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYGM.exe" name="ÍæÓÎÏ·ºÐ¹ÜÀГÆ÷" mode=ENABLE scope=ALL' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYFlash.exe" name="ÍæÓÎÏ·ºÐflashÓÎÏ·³ÌÐò" mode=ENABLE scope=ALL' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYDLPlatform.exe" name="ÍæÓÎÏ·ºÐÏÂÔГƽ̨" mode=ENABLE scope=ALL' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\tool\WYRTLFix.exe" name="ÍæÓÎÏ·ºÐÔËÐпâ¼ì²â³ÌÐò" mode=ENABLE scope=ALL' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\tool\WYPluginFix.exe" name="ÍæÓÎÏ·ºÐÏÂÔГ¹ÊÕϼì²â³ÌÐò" mode=ENABLE scope=ALL' (with hidden window)
- '%ProgramFiles(x86)%\wanyx\wyupdate.exe' -update -delay=3 -type=1' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYGM.exe" name="ÍæÓÎÏ·ºÐ¹ÜÀГÆ÷" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYFlash.exe" name="ÍæÓÎÏ·ºÐflashÓÎÏ·³ÌÐò" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\WYDLPlatform.exe" name="ÍæÓÎÏ·ºÐÏÂÔГƽ̨" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\tool\WYRTLFix.exe" name="ÍæÓÎÏ·ºÐÔËÐпâ¼ì²â³ÌÐò" mode=ENABLE scope=ALL
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program="%ProgramFiles(x86)%\Wanyx\tool\WYPluginFix.exe" name="ÍæÓÎÏ·ºÐÏÂÔГ¹ÊÕϼì²â³ÌÐò" mode=ENABLE scope=ALL
