Analysis Overview
SHA256
3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
Threat Level: Known bad
The file WizWorm.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Contains code to disable Windows Defender
Command and Scripting Interpreter: PowerShell
Modifies Installed Components in the registry
Disables Task Manager via registry modification
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Enumerates connected drives
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies Internet Explorer settings
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Kills process with taskkill
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 21:34
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 21:34
Reported
2024-05-30 21:36
Platform
win7-20240220-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\Users\\Admin\\AppData\\Local\\WizWorm.exe" | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {1062197A-4F26-493F-BBDD-F74793DC0A07} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | auto-london.gl.at.ply.gg | udp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| FR | 162.19.58.161:443 | tcp |
Files
memory/3032-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/3032-1-0x0000000001130000-0x000000000114E000-memory.dmp
memory/3032-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2600-7-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2600-8-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2600-9-0x0000000001F70000-0x0000000001F78000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d885225bd3f67a7a8bff684fc067d04d |
| SHA1 | 131edc9aa0ba07cf9773642a4b735061ade0c37c |
| SHA256 | 22b4690c700b5bb48cefc346b933022ae5ec86c9610c0c7c3442f91903161030 |
| SHA512 | 42852201e4b4cf01ca1ba85d2faf7700e1462fd0818af11a3bf846e645acf278c5e37b9d707035245712a65b5d1bd74780cc6a1d39b94f2481e47f457880779f |
memory/2548-16-0x00000000028F0000-0x00000000028F8000-memory.dmp
memory/2548-15-0x000000001B570000-0x000000001B852000-memory.dmp
C:\Users\Admin\AppData\Local\WizWorm.exe
| MD5 | a9b00ac5f9c02e540c61381a5fae62c3 |
| SHA1 | 273e272cc73d519c5cba2839de4e6043fd8977b0 |
| SHA256 | 3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38 |
| SHA512 | 924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570 |
memory/3032-30-0x000007FEF5693000-0x000007FEF5694000-memory.dmp
memory/3032-31-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/3032-32-0x0000000000D10000-0x0000000000D1C000-memory.dmp
memory/112-36-0x0000000000220000-0x000000000023E000-memory.dmp
memory/1968-39-0x0000000000EA0000-0x0000000000EBE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 21:34
Reported
2024-05-30 21:39
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
297s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\Users\\Admin\\AppData\\Local\\WizWorm.exe" | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{3F1A93DB-8708-49D1-8652-797614E5FF16} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{905B49C6-89EB-44CE-941E-8D52CB47A9A2} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{F974277A-44D6-4552-B81C-08CC072D77B7} | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WizWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\WizWorm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x314
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Users\Admin\AppData\Local\WizWorm.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | auto-london.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| FR | 162.19.58.157:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 157.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.43:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 43.145.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | www.NiggaFart.com | udp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 8.8.8.8:53 | 212.66.21.104.in-addr.arpa | udp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.34:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 34.144.14.145.in-addr.arpa | udp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 104.21.66.212:80 | www.NiggaFart.com | tcp |
| US | 172.67.164.97:80 | www.NiggaFart.com | tcp |
| US | 8.8.8.8:53 | 97.164.67.172.in-addr.arpa | udp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| US | 145.14.144.34:443 | wiznon.000webhostapp.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
Files
memory/1600-0-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/1600-1-0x0000000000C80000-0x0000000000C9E000-memory.dmp
memory/1600-2-0x00007FF984460000-0x00007FF984F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opbhkqpz.104.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3308-9-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3308-8-0x000001955EFA0000-0x000001955EFC2000-memory.dmp
memory/3308-14-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3308-15-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3308-16-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3308-17-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3308-20-0x00007FF984460000-0x00007FF984F21000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f41f42c322498af0591f396c59dd4304 |
| SHA1 | e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514 |
| SHA256 | d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c |
| SHA512 | 2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f |
C:\Users\Admin\AppData\Local\WizWorm.exe
| MD5 | a9b00ac5f9c02e540c61381a5fae62c3 |
| SHA1 | 273e272cc73d519c5cba2839de4e6043fd8977b0 |
| SHA256 | 3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38 |
| SHA512 | 924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570 |
memory/1600-52-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/1600-53-0x000000001CAB0000-0x000000001CABE000-memory.dmp
memory/1600-54-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3584-65-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-63-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-64-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-75-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-74-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-73-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-72-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-71-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-70-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/3584-69-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp
memory/1600-76-0x0000000001560000-0x000000000156C000-memory.dmp
memory/1600-83-0x00000000012C0000-0x00000000012CA000-memory.dmp
memory/1600-84-0x000000001DCA0000-0x000000001E3AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWorm.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_67338D05A3B247529540EAF2B113271D.dat
| MD5 | ff9b0f3bb4ab37b8a39d86ee9c358588 |
| SHA1 | b0867c2f230f1c5f8bc093a5d87ecb9682e7441e |
| SHA256 | b8cccc22bce935670de4eafa50ab9f922170484d9707738518594ed8f3beaba6 |
| SHA512 | cfe41723ad47bd2624b4984a316e627406541c580743beccbd8860cdb5c1317a9ff5c0fdfab6802e8341b228df4b8f45cd6101c7a6b12b2e879a17fcdb2a52bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | f16fdb928ddc10e8df110fa8abb38596 |
| SHA1 | 6904dd8b249b070ad73240674b0a5876af8e831f |
| SHA256 | a246c7ef36267ae1a520a9d4ba4571bf99478afb72c8f7db1df94b425963da8f |
| SHA512 | 0a394753665725c7ed77d2db28663c84d0c0613379ee5c86c7eecf7d7326e2a5863e64e8502551665c466d5ae864f8d3c3394d3948b8dab7114e50224a523abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
| MD5 | a962530efc9c81cbbed4b7d88da80ecb |
| SHA1 | 64b9d74f1c80c52819127798875088c64c9f8de2 |
| SHA256 | 4feb0e14690f83cf1cffa01aa65f0ca70da692555a5ec4d2a25641adf0a5c678 |
| SHA512 | 4691fe522e2bcfb7bc5e59fc6a8dab45b8569f009f527d86984ed57baec1995c831fe52e8a10d5e16e2d1ca18836be917a3439f2280a47c7360bc2de4fc466d1 |
memory/4132-108-0x0000000004090000-0x0000000004091000-memory.dmp
memory/2516-115-0x0000013540800000-0x0000013540820000-memory.dmp
memory/2516-146-0x0000013540BD0000-0x0000013540BF0000-memory.dmp
memory/2516-134-0x00000135405C0000-0x00000135405E0000-memory.dmp
memory/5696-260-0x00000000045D0000-0x00000000045D1000-memory.dmp
memory/5128-263-0x000002409B700000-0x000002409B800000-memory.dmp
memory/5128-262-0x000002409B700000-0x000002409B800000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
| MD5 | 84209e171da10686915fe7efcd51552d |
| SHA1 | 6bf96e86a533a68eba4d703833de374e18ce6113 |
| SHA256 | 04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b |
| SHA512 | 48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd |
memory/5128-268-0x000002489D800000-0x000002489D820000-memory.dmp
memory/5128-280-0x000002489D5B0000-0x000002489D5D0000-memory.dmp
memory/5128-296-0x000002489DC50000-0x000002489DC70000-memory.dmp
memory/4916-411-0x00000000048F0000-0x00000000048F1000-memory.dmp
memory/5384-418-0x00000297FFC60000-0x00000297FFC80000-memory.dmp
memory/5384-441-0x00000297FFC20000-0x00000297FFC40000-memory.dmp
memory/5384-442-0x0000028F800C0000-0x0000028F800E0000-memory.dmp
memory/1252-548-0x00000000048E0000-0x00000000048E1000-memory.dmp
memory/4236-550-0x00000296F4E20000-0x00000296F4F20000-memory.dmp
memory/4236-556-0x00000296F5F80000-0x00000296F5FA0000-memory.dmp
memory/4236-569-0x00000296F5F40000-0x00000296F5F60000-memory.dmp
memory/4236-585-0x00000296F6350000-0x00000296F6370000-memory.dmp
memory/5756-700-0x0000000004E50000-0x0000000004E51000-memory.dmp
memory/4540-708-0x000002EF31280000-0x000002EF312A0000-memory.dmp
memory/4540-702-0x000002EF30120000-0x000002EF30220000-memory.dmp
memory/4540-737-0x000002EF31240000-0x000002EF31260000-memory.dmp
memory/4540-739-0x000002EF31650000-0x000002EF31670000-memory.dmp
memory/3488-853-0x00000000028D0000-0x00000000028D1000-memory.dmp
memory/5624-854-0x0000021383600000-0x0000021383700000-memory.dmp
memory/5624-855-0x0000021383600000-0x0000021383700000-memory.dmp
memory/5624-860-0x00000213852F0000-0x0000021385310000-memory.dmp
memory/5624-879-0x00000213852B0000-0x00000213852D0000-memory.dmp
memory/5624-891-0x00000213858C0000-0x00000213858E0000-memory.dmp
memory/1456-1004-0x0000000004250000-0x0000000004251000-memory.dmp
memory/1236-1012-0x0000020FD83C0000-0x0000020FD83E0000-memory.dmp
memory/1236-1043-0x0000020FD8790000-0x0000020FD87B0000-memory.dmp
memory/1236-1042-0x0000020FD8380000-0x0000020FD83A0000-memory.dmp
memory/2516-1150-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/5380-1153-0x0000023A94C00000-0x0000023A94D00000-memory.dmp
memory/5380-1151-0x0000023A94C00000-0x0000023A94D00000-memory.dmp
memory/5380-1156-0x0000023A95D60000-0x0000023A95D80000-memory.dmp
memory/5380-1152-0x0000023A94C00000-0x0000023A94D00000-memory.dmp
memory/5380-1177-0x0000023A95D20000-0x0000023A95D40000-memory.dmp
memory/5380-1189-0x0000023A96130000-0x0000023A96150000-memory.dmp
memory/1600-1300-0x00000000012B0000-0x00000000012BE000-memory.dmp
memory/5668-1301-0x0000000004A10000-0x0000000004A11000-memory.dmp
memory/6032-1303-0x0000026A3E700000-0x0000026A3E800000-memory.dmp
memory/6032-1309-0x0000026A3F9A0000-0x0000026A3F9C0000-memory.dmp
memory/6032-1329-0x0000026A3FE00000-0x0000026A3FE20000-memory.dmp
memory/6032-1328-0x0000026A3F960000-0x0000026A3F980000-memory.dmp
memory/1600-1379-0x000000001EC40000-0x000000001F168000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\Windows[2].json
| MD5 | c00b3f9d9cce523191a21fadff7d901e |
| SHA1 | ac5fb9ea0f6c4a76e82368f173d5e592387088a3 |
| SHA256 | 9ba404eb666e44ab21dc5b06656a1ffca0af4ab734cddc2311dca49a30df3d44 |
| SHA512 | ed027acd8c780f5c9c6d0feebdd8f0c6ae277e3f5086a6f58e21e37d641713e829e01623d0561873e0ef06edcf22aa2f526585a43ff7c0664919d2f9f3316b00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\Windows[1].json
| MD5 | 76f465a1d31632420393bdbae3d7f966 |
| SHA1 | bb5db6deb00043af62243e95cb732daed7f9d835 |
| SHA256 | f80d4b530521484358d3e676d98608d26c9622fa8b71e44af9c23969ce1cdde2 |
| SHA512 | c0b77bc63db7e54dcbc60c04cdbc21f359e69b3f1f5aa79eb286dad1904240fd2c75b4fb6451268dbbeaf37578cf9878b6afd976f0d272bbf1232ee96ba077fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 394a3c2cb6ccc54900376628e9d73778 |
| SHA1 | 01b89d3281860d2a037534f0d249e6079bbe278c |
| SHA256 | a0bbb7c84673fa5b63589eb5472518a8a0a7fa542351f47981a6968a9f08bd67 |
| SHA512 | 167d71364c60573cf0e29e7c643ab9a2e089fdf7e6b1e0165baf70dd4bb849a41c40e7e13c06f71e91cb8498375e086e1d7cb9ae84d97881e69aa9c1831df14f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
| MD5 | d665f37c675ed0a5d4da5074326276ce |
| SHA1 | 714a69f40fe5d2d128ef32e2ea147d9e88af2d9b |
| SHA256 | 4d7a3d85737a43ee991b249dc7a2f57097bb73bf764d7be887203c3349705412 |
| SHA512 | ba296d0e6cfb77e4df8661e2609bd61cce88232171212df3906500ff31f23fde81f6abb418491b4bbabb41f86fee3eddd68fefa26840c6689ab5d19686dcce95 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 769a4366a5c2582f8040ec5296199cc5 |
| SHA1 | 0186b1f6948cc5b14f8142e13f8dd1a5ff9bc1d6 |
| SHA256 | 4fe4c74d79fd94e165d0665bdaade219eb79e5fa363ad82a05ed3f261bedfe96 |
| SHA512 | cf26d252b3d6bfbd0809988f0b853eeb8a03889b6ba26003e007617fd4aa5c670b2f2d1cf487e75558d81ae9ca8ffb82f99b9496bf877d206070344f3f229e32 |
C:\Windows\INF\machine.PNF
| MD5 | ce1637d02213e1380f3a522319816a83 |
| SHA1 | 00368aa3aa7ac5e5a0b0ed916a4c7e6fb5a1abef |
| SHA256 | 6c97257ea095fb66371eb677046b081f121f9130702f4c31af9461b0b2b6f5a7 |
| SHA512 | 148785c9bfb3fedd3bf1793636d679161405e0688b93b83384a4abc0836776a42117ed48d08f3a079f1b53f6dc89457c6a14bb1590dea169c76846dd0db8bde7 |