Malware Analysis Report

2024-11-16 13:39

Sample ID 240530-1ewbesbe57
Target WizWorm.exe
SHA256 3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
Tags
xworm evasion execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38

Threat Level: Known bad

The file WizWorm.exe was found to be: Known bad.

Malicious Activity Summary

xworm evasion execution persistence rat trojan

Xworm family

Detect Xworm Payload

Xworm

Contains code to disable Windows Defender

Command and Scripting Interpreter: PowerShell

Modifies Installed Components in the registry

Disables Task Manager via registry modification

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Kills process with taskkill

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 21:34

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 21:34

Reported

2024-05-30 21:36

Platform

win7-20240220-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\Users\\Admin\\AppData\\Local\\WizWorm.exe" C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3032 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\schtasks.exe
PID 3032 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\schtasks.exe
PID 3032 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\schtasks.exe
PID 1616 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WizWorm.exe
PID 1616 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WizWorm.exe
PID 1616 wrote to memory of 112 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WizWorm.exe
PID 1616 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WizWorm.exe
PID 1616 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WizWorm.exe
PID 1616 wrote to memory of 1968 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WizWorm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\WizWorm.exe

"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1062197A-4F26-493F-BBDD-F74793DC0A07} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
US 8.8.8.8:53 auto-london.gl.at.ply.gg udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 tcp

Files

memory/3032-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/3032-1-0x0000000001130000-0x000000000114E000-memory.dmp

memory/3032-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2600-7-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2600-8-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2600-9-0x0000000001F70000-0x0000000001F78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d885225bd3f67a7a8bff684fc067d04d
SHA1 131edc9aa0ba07cf9773642a4b735061ade0c37c
SHA256 22b4690c700b5bb48cefc346b933022ae5ec86c9610c0c7c3442f91903161030
SHA512 42852201e4b4cf01ca1ba85d2faf7700e1462fd0818af11a3bf846e645acf278c5e37b9d707035245712a65b5d1bd74780cc6a1d39b94f2481e47f457880779f

memory/2548-16-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/2548-15-0x000000001B570000-0x000000001B852000-memory.dmp

C:\Users\Admin\AppData\Local\WizWorm.exe

MD5 a9b00ac5f9c02e540c61381a5fae62c3
SHA1 273e272cc73d519c5cba2839de4e6043fd8977b0
SHA256 3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
SHA512 924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

memory/3032-30-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/3032-31-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/3032-32-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/112-36-0x0000000000220000-0x000000000023E000-memory.dmp

memory/1968-39-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 21:34

Reported

2024-05-30 21:39

Platform

win10v2004-20240226-en

Max time kernel

154s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizWorm.lnk C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizWorm = "C:\\Users\\Admin\\AppData\\Local\\WizWorm.exe" C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{3F1A93DB-8708-49D1-8652-797614E5FF16} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{905B49C6-89EB-44CE-941E-8D52CB47A9A2} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{F974277A-44D6-4552-B81C-08CC072D77B7} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WizWorm.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1600 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\schtasks.exe
PID 1600 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\System32\schtasks.exe
PID 1600 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\explorer.exe
PID 1600 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\explorer.exe
PID 1600 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1600 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1600 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\explorer.exe
PID 1600 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\WizWorm.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\WizWorm.exe

"C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizWorm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WizWorm.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizWorm" /tr "C:\Users\Admin\AppData\Local\WizWorm.exe"

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4c0 0x314

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Users\Admin\AppData\Local\WizWorm.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 auto-london.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
FR 162.19.58.157:443 i.ibb.co tcp
US 8.8.8.8:53 157.58.19.162.in-addr.arpa udp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 wiznon.000webhostapp.com udp
US 145.14.145.43:443 wiznon.000webhostapp.com tcp
US 8.8.8.8:53 43.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 www.NiggaFart.com udp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 8.8.8.8:53 212.66.21.104.in-addr.arpa udp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 8.8.8.8:53 wiznon.000webhostapp.com udp
US 145.14.144.34:443 wiznon.000webhostapp.com tcp
US 8.8.8.8:53 34.144.14.145.in-addr.arpa udp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 104.21.66.212:80 www.NiggaFart.com tcp
US 172.67.164.97:80 www.NiggaFart.com tcp
US 8.8.8.8:53 97.164.67.172.in-addr.arpa udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 145.14.144.34:443 wiznon.000webhostapp.com tcp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 8.8.8.8:53 wiz.bounceme.net udp
US 65.191.34.109:6000 wiz.bounceme.net tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp

Files

memory/1600-0-0x00007FF984463000-0x00007FF984465000-memory.dmp

memory/1600-1-0x0000000000C80000-0x0000000000C9E000-memory.dmp

memory/1600-2-0x00007FF984460000-0x00007FF984F21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opbhkqpz.104.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3308-9-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3308-8-0x000001955EFA0000-0x000001955EFC2000-memory.dmp

memory/3308-14-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3308-15-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3308-16-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3308-17-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3308-20-0x00007FF984460000-0x00007FF984F21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f41f42c322498af0591f396c59dd4304
SHA1 e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514
SHA256 d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c
SHA512 2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

C:\Users\Admin\AppData\Local\WizWorm.exe

MD5 a9b00ac5f9c02e540c61381a5fae62c3
SHA1 273e272cc73d519c5cba2839de4e6043fd8977b0
SHA256 3ad4aa1921b844c635bbeef2a492a3d1ff134af6a38a1c31d7d264da3e192a38
SHA512 924316a6cd0b91617d23010cc031ccbc1a99c4d72f9199fb3215d68ae6ea6cc9c3a4888777bf4c72d920d940e68b828a4ede75c299a5f7b7f804250cea4ae570

memory/1600-52-0x00007FF984463000-0x00007FF984465000-memory.dmp

memory/1600-53-0x000000001CAB0000-0x000000001CABE000-memory.dmp

memory/1600-54-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3584-65-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-63-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-64-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-75-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-74-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-73-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-72-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-71-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-70-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/3584-69-0x00000215E9BB0000-0x00000215E9BB1000-memory.dmp

memory/1600-76-0x0000000001560000-0x000000000156C000-memory.dmp

memory/1600-83-0x00000000012C0000-0x00000000012CA000-memory.dmp

memory/1600-84-0x000000001DCA0000-0x000000001E3AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWorm.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_67338D05A3B247529540EAF2B113271D.dat

MD5 ff9b0f3bb4ab37b8a39d86ee9c358588
SHA1 b0867c2f230f1c5f8bc093a5d87ecb9682e7441e
SHA256 b8cccc22bce935670de4eafa50ab9f922170484d9707738518594ed8f3beaba6
SHA512 cfe41723ad47bd2624b4984a316e627406541c580743beccbd8860cdb5c1317a9ff5c0fdfab6802e8341b228df4b8f45cd6101c7a6b12b2e879a17fcdb2a52bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 f16fdb928ddc10e8df110fa8abb38596
SHA1 6904dd8b249b070ad73240674b0a5876af8e831f
SHA256 a246c7ef36267ae1a520a9d4ba4571bf99478afb72c8f7db1df94b425963da8f
SHA512 0a394753665725c7ed77d2db28663c84d0c0613379ee5c86c7eecf7d7326e2a5863e64e8502551665c466d5ae864f8d3c3394d3948b8dab7114e50224a523abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 a962530efc9c81cbbed4b7d88da80ecb
SHA1 64b9d74f1c80c52819127798875088c64c9f8de2
SHA256 4feb0e14690f83cf1cffa01aa65f0ca70da692555a5ec4d2a25641adf0a5c678
SHA512 4691fe522e2bcfb7bc5e59fc6a8dab45b8569f009f527d86984ed57baec1995c831fe52e8a10d5e16e2d1ca18836be917a3439f2280a47c7360bc2de4fc466d1

memory/4132-108-0x0000000004090000-0x0000000004091000-memory.dmp

memory/2516-115-0x0000013540800000-0x0000013540820000-memory.dmp

memory/2516-146-0x0000013540BD0000-0x0000013540BF0000-memory.dmp

memory/2516-134-0x00000135405C0000-0x00000135405E0000-memory.dmp

memory/5696-260-0x00000000045D0000-0x00000000045D1000-memory.dmp

memory/5128-263-0x000002409B700000-0x000002409B800000-memory.dmp

memory/5128-262-0x000002409B700000-0x000002409B800000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml

MD5 84209e171da10686915fe7efcd51552d
SHA1 6bf96e86a533a68eba4d703833de374e18ce6113
SHA256 04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b
SHA512 48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

memory/5128-268-0x000002489D800000-0x000002489D820000-memory.dmp

memory/5128-280-0x000002489D5B0000-0x000002489D5D0000-memory.dmp

memory/5128-296-0x000002489DC50000-0x000002489DC70000-memory.dmp

memory/4916-411-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/5384-418-0x00000297FFC60000-0x00000297FFC80000-memory.dmp

memory/5384-441-0x00000297FFC20000-0x00000297FFC40000-memory.dmp

memory/5384-442-0x0000028F800C0000-0x0000028F800E0000-memory.dmp

memory/1252-548-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/4236-550-0x00000296F4E20000-0x00000296F4F20000-memory.dmp

memory/4236-556-0x00000296F5F80000-0x00000296F5FA0000-memory.dmp

memory/4236-569-0x00000296F5F40000-0x00000296F5F60000-memory.dmp

memory/4236-585-0x00000296F6350000-0x00000296F6370000-memory.dmp

memory/5756-700-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/4540-708-0x000002EF31280000-0x000002EF312A0000-memory.dmp

memory/4540-702-0x000002EF30120000-0x000002EF30220000-memory.dmp

memory/4540-737-0x000002EF31240000-0x000002EF31260000-memory.dmp

memory/4540-739-0x000002EF31650000-0x000002EF31670000-memory.dmp

memory/3488-853-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/5624-854-0x0000021383600000-0x0000021383700000-memory.dmp

memory/5624-855-0x0000021383600000-0x0000021383700000-memory.dmp

memory/5624-860-0x00000213852F0000-0x0000021385310000-memory.dmp

memory/5624-879-0x00000213852B0000-0x00000213852D0000-memory.dmp

memory/5624-891-0x00000213858C0000-0x00000213858E0000-memory.dmp

memory/1456-1004-0x0000000004250000-0x0000000004251000-memory.dmp

memory/1236-1012-0x0000020FD83C0000-0x0000020FD83E0000-memory.dmp

memory/1236-1043-0x0000020FD8790000-0x0000020FD87B0000-memory.dmp

memory/1236-1042-0x0000020FD8380000-0x0000020FD83A0000-memory.dmp

memory/2516-1150-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/5380-1153-0x0000023A94C00000-0x0000023A94D00000-memory.dmp

memory/5380-1151-0x0000023A94C00000-0x0000023A94D00000-memory.dmp

memory/5380-1156-0x0000023A95D60000-0x0000023A95D80000-memory.dmp

memory/5380-1152-0x0000023A94C00000-0x0000023A94D00000-memory.dmp

memory/5380-1177-0x0000023A95D20000-0x0000023A95D40000-memory.dmp

memory/5380-1189-0x0000023A96130000-0x0000023A96150000-memory.dmp

memory/1600-1300-0x00000000012B0000-0x00000000012BE000-memory.dmp

memory/5668-1301-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/6032-1303-0x0000026A3E700000-0x0000026A3E800000-memory.dmp

memory/6032-1309-0x0000026A3F9A0000-0x0000026A3F9C0000-memory.dmp

memory/6032-1329-0x0000026A3FE00000-0x0000026A3FE20000-memory.dmp

memory/6032-1328-0x0000026A3F960000-0x0000026A3F980000-memory.dmp

memory/1600-1379-0x000000001EC40000-0x000000001F168000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\Windows[2].json

MD5 c00b3f9d9cce523191a21fadff7d901e
SHA1 ac5fb9ea0f6c4a76e82368f173d5e592387088a3
SHA256 9ba404eb666e44ab21dc5b06656a1ffca0af4ab734cddc2311dca49a30df3d44
SHA512 ed027acd8c780f5c9c6d0feebdd8f0c6ae277e3f5086a6f58e21e37d641713e829e01623d0561873e0ef06edcf22aa2f526585a43ff7c0664919d2f9f3316b00

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\Windows[1].json

MD5 76f465a1d31632420393bdbae3d7f966
SHA1 bb5db6deb00043af62243e95cb732daed7f9d835
SHA256 f80d4b530521484358d3e676d98608d26c9622fa8b71e44af9c23969ce1cdde2
SHA512 c0b77bc63db7e54dcbc60c04cdbc21f359e69b3f1f5aa79eb286dad1904240fd2c75b4fb6451268dbbeaf37578cf9878b6afd976f0d272bbf1232ee96ba077fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 394a3c2cb6ccc54900376628e9d73778
SHA1 01b89d3281860d2a037534f0d249e6079bbe278c
SHA256 a0bbb7c84673fa5b63589eb5472518a8a0a7fa542351f47981a6968a9f08bd67
SHA512 167d71364c60573cf0e29e7c643ab9a2e089fdf7e6b1e0165baf70dd4bb849a41c40e7e13c06f71e91cb8498375e086e1d7cb9ae84d97881e69aa9c1831df14f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 d665f37c675ed0a5d4da5074326276ce
SHA1 714a69f40fe5d2d128ef32e2ea147d9e88af2d9b
SHA256 4d7a3d85737a43ee991b249dc7a2f57097bb73bf764d7be887203c3349705412
SHA512 ba296d0e6cfb77e4df8661e2609bd61cce88232171212df3906500ff31f23fde81f6abb418491b4bbabb41f86fee3eddd68fefa26840c6689ab5d19686dcce95

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 769a4366a5c2582f8040ec5296199cc5
SHA1 0186b1f6948cc5b14f8142e13f8dd1a5ff9bc1d6
SHA256 4fe4c74d79fd94e165d0665bdaade219eb79e5fa363ad82a05ed3f261bedfe96
SHA512 cf26d252b3d6bfbd0809988f0b853eeb8a03889b6ba26003e007617fd4aa5c670b2f2d1cf487e75558d81ae9ca8ffb82f99b9496bf877d206070344f3f229e32

C:\Windows\INF\machine.PNF

MD5 ce1637d02213e1380f3a522319816a83
SHA1 00368aa3aa7ac5e5a0b0ed916a4c7e6fb5a1abef
SHA256 6c97257ea095fb66371eb677046b081f121f9130702f4c31af9461b0b2b6f5a7
SHA512 148785c9bfb3fedd3bf1793636d679161405e0688b93b83384a4abc0836776a42117ed48d08f3a079f1b53f6dc89457c6a14bb1590dea169c76846dd0db8bde7