home

WFini.exe

WFini

Junyan Li

The application WFini.exe by Junyan Li has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “WFini WdMan Service”. While running, it connects to the Internet address server-54-240-186-245.mad50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
WFini LIMITED  (signed by Junyan Li)

Product:
WFini

Version:
20.0.0.2536

MD5:
f1472b607d7eccb93c8a8870117878d7

SHA-1:
28702609b600f5c24e330dcf26d401f8d4e4634c

SHA-256:
31e775c739a20e38684029cec6e14856a5c9416ad70f886f24e4ff359de6afee

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
3/10/2025 1:24:49 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Downloader.JunyanLi.Meta (M)
16.7.6.8

File size:
519.2 KB (531,688 bytes)

Product version:
20.0.0.2536

Copyright:
Copyright (C) WFini.com From 2012

Original file name:
WFini.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\rwinpr\wfini.exe

Digital Signature
Signed by:
Junyan Li

Authority:
thawte, Inc.

Valid from:
7/4/2016 2:00:00 AM

Valid to:
6/3/2017 1:59:59 AM

Subject:
CN=Junyan Li, OU=Individual Developer, O=No Organization Affiliation, L=Baishan, S=Jilin, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
48828E221D33C7AAE3A153149BAED94A

File PE Metadata
Compilation timestamp:
7/6/2016 7:57:29 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:IKnjyaE8SRZsStefgHngwKMI9PZYlB2loPtQAkrUJIWRMcgrX5:IqDeEzoPtQAAvDFrX5

Entry address:
0x44EBE

Entry point:
E8, EF, 03, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 51, 83, 65, FC, 00, 8D, 45, FC, 56, 50, FF, 75, 0C, FF, 75, 08, E8, 58, 05, 01, 00, 8B, F0, 83, C4, 0C, 85, F6, 75, 18, 39, 45, FC, 74, 13, E8, CE, D6, FF, FF, 85, C0, 74, 0A, E8, C5, D6, FF, FF, 8B, 4D, FC, 89, 08, 8B, C6, 5E, 8B, E5, 5D, C3, 55, 8B, EC, 83, 7D, 08, 00, 75, 0B, FF, 75, 0C, E8, E5, E7, FF, FF, 59, 5D, C3, 56, 8B, 75, 0C, 85, F6, 75, 0D, FF, 75, 08, E8, 29, D6, FF, FF, 59, 33, C0, EB, 4D, 53, EB, 30, 85, F6, 75, 01, 46, 56, FF, 75, 08, 6A...
 
[+]

Code size:
393.5 KB (402,944 bytes)

Service
Display name:
WFini WdMan Service

Service name:
WdMan

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-240-186-234.mad50.r.cloudfront.net  (54.240.186.234:80)

TCP (HTTP):
Connects to server-54-240-186-211.mad50.r.cloudfront.net  (54.240.186.211:80)

TCP (HTTP):
Connects to server-54-240-186-245.mad50.r.cloudfront.net  (54.240.186.245:80)

Remove WFini.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.