home

wpm.exe

WFini

Junyan Li

The application wpm.exe by Junyan Li has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “WFini WdMan Service”. While running, it connects to the Internet address server-54-230-163-36.jax1.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
WFini LIMITED  (signed by Junyan Li)

Product:
WFini

Version:
20.0.0.2537

MD5:
423ce6e9e189d1cf347c54a0e08c2ae9

SHA-1:
2d5a38b2853b0c8bdd26fe2a6acf0db12692334d

SHA-256:
f8ccc8dc18288508421f1c766507c25b145ee7c583ac880039a8b0e60b7089d3

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
7/21/2025 4:10:38 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SearchBeyond (M)
16.7.20.5

File size:
580.7 KB (594,664 bytes)

Product version:
20.0.0.2537

Copyright:
Copyright (C) WFini.com From 2012

Original file name:
WFini.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\temp\{random}.tmp\tools\wpm.exe

Digital Signature
Signed by:
Junyan Li

Authority:
thawte, Inc.

Valid from:
7/20/2016 2:00:00 AM

Valid to:
6/3/2017 1:59:59 AM

Subject:
CN=Junyan Li, OU=Individual Developer, O=No Organization Affiliation, L=Baishan, S=Jilin, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
74C4F3CF7497D7D7E3707AB7A48A80C2

File PE Metadata
Compilation timestamp:
7/19/2016 7:07:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:01/LHdX3JRwKKOo7Y0BZvr/ZGuylkRtavw9wfrmfE3yds17:01DHhJGzSw9wfPTt

Entry address:
0x54F1D

Entry point:
E8, 73, 01, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 51, 83, 65, FC, 00, 8D, 45, FC, 56, 50, FF, 75, 0C, FF, 75, 08, E8, DC, 02, 01, 00, 8B, F0, 83, C4, 0C, 85, F6, 75, 18, 39, 45, FC, 74, 13, E8, 64, D9, FF, FF, 85, C0, 74, 0A, E8, 5B, D9, FF, FF, 8B, 4D, FC, 89, 08, 8B, C6, 5E, 8B, E5, 5D, C3, 55, 8B, EC, 83, 7D, 08, 00, 75, 0B, FF, 75, 0C, E8, 7B, EA, FF, FF, 59, 5D, C3, 56, 8B, 75, 0C, 85, F6, 75, 0D, FF, 75, 08, E8, BF, D8, FF, FF, 59, 33, C0, EB, 4D, 53, EB, 30, 85, F6, 75, 01, 46, 56, FF, 75, 08, 6A...
 
[+]

Code size:
458 KB (468,992 bytes)

Service
Display name:
WFini WdMan Service

Service name:
WdMan

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-63-174.lhr50.r.cloudfront.net  (52.85.63.174:80)

TCP (HTTP):
Connects to server-54-230-163-36.jax1.r.cloudfront.net  (54.230.163.36:80)

TCP (HTTP):
Connects to server-52-85-63-80.lhr50.r.cloudfront.net  (52.85.63.80:80)

TCP (HTTP):
Connects to server-52-85-63-4.lhr50.r.cloudfront.net  (52.85.63.4:80)

TCP (HTTP):
Connects to server-52-85-63-249.lhr50.r.cloudfront.net  (52.85.63.249:80)

TCP (HTTP):
Connects to server-52-85-63-151.lhr50.r.cloudfront.net  (52.85.63.151:80)

TCP (HTTP):
Connects to server-52-85-63-111.lhr50.r.cloudfront.net  (52.85.63.111:80)

TCP (HTTP):
Connects to server-52-84-230-53.sfo9.r.cloudfront.net  (52.84.230.53:80)

TCP (HTTP):
Connects to server-52-84-230-111.sfo9.r.cloudfront.net  (52.84.230.111:80)

Remove wpm.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.