Analysis Overview
SHA256
7bdd0af1bd40c6f7267a83218a882962067867e1a65a84e3ff1198f21b5a8baf
Threat Level: Known bad
The file WizClient.rar was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Modifies registry class
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 05:46
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 05:46
Reported
2024-06-15 06:18
Platform
win10v2004-20240611-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\WizClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk | C:\Users\Admin\Downloads\WizClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk | C:\Users\Admin\Downloads\WizClient.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe" | C:\Users\Admin\Downloads\WizClient.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629041691907984" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WizClient.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\WizClient.rar"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B8ED88EB397721798C67FA50D37CF1F --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=37A3E4210D2AECAAEEA9A350CBD6243B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=37A3E4210D2AECAAEEA9A350CBD6243B --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71E45F55D3C83496B1D62CF652AC540D --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=408E1C78BC3C4DB439690E5DFD6D5799 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC6F06C4CE6932C26C82C7ACFE5E264F --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc39eaab58,0x7ffc39eaab68,0x7ffc39eaab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2508 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4852 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4772 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2424 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3508 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2424 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3124 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5472 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5788 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5876 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1908,i,14510733895111896170,3569193801444024980,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2765:80:7zEvent4264
C:\Users\Admin\Downloads\WizClient.exe
"C:\Users\Admin\Downloads\WizClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\WizClient.exe'
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aonymfile.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | aonymfile.com | udp |
| US | 8.8.8.8:53 | anonymfile.com | udp |
| DE | 88.198.63.72:443 | anonymfile.com | tcp |
| DE | 88.198.63.72:443 | anonymfile.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 151.101.193.229:443 | cdn.jsdelivr.net | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.247.203:443 | unpkg.com | tcp |
| US | 104.17.247.203:443 | unpkg.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | waisheph.com | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| NL | 139.45.197.245:443 | waisheph.com | tcp |
| NL | 139.45.197.245:443 | waisheph.com | tcp |
| US | 8.8.8.8:53 | 72.63.198.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.193.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.247.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.197.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | my.rtmark.net | udp |
| US | 8.8.8.8:53 | yonmewon.com | udp |
| US | 8.8.8.8:53 | sr7pv7n5x.com | udp |
| NL | 139.45.195.8:443 | my.rtmark.net | tcp |
| NL | 139.45.197.236:443 | yonmewon.com | tcp |
| NL | 212.117.190.201:443 | sr7pv7n5x.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | tcp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | 8.195.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.197.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.190.117.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | e2c75.gcp.gvt2.com | udp |
| QA | 34.1.37.11:443 | e2c75.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.37.1.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tzegilo.com | udp |
| US | 8.8.8.8:53 | waisheph.com | udp |
| NL | 139.45.197.245:443 | waisheph.com | tcp |
| US | 172.67.193.52:443 | tzegilo.com | tcp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| US | 8.8.8.8:53 | flerap.com | udp |
| US | 8.8.8.8:53 | fleraprt.com | udp |
| GB | 172.217.169.3:443 | beacons.gvt2.com | tcp |
| NL | 139.45.195.254:443 | fleraprt.com | tcp |
| NL | 139.45.195.254:443 | fleraprt.com | tcp |
| US | 8.8.8.8:53 | yonmewon.com | udp |
| US | 8.8.8.8:53 | my.rtmark.net | udp |
| NL | 139.45.195.8:443 | my.rtmark.net | tcp |
| NL | 139.45.197.236:443 | yonmewon.com | tcp |
| US | 8.8.8.8:53 | e2c6.gcp.gvt2.com | udp |
| IN | 34.93.91.7:443 | e2c6.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | datatechonert.com | udp |
| NL | 185.49.145.45:443 | datatechonert.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| IN | 34.93.91.7:443 | e2c6.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 52.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.195.45.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.145.49.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons2.gvt2.com | udp |
| US | 74.125.126.94:443 | beacons2.gvt2.com | tcp |
| US | 8.8.8.8:53 | 7.91.93.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.126.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | e2c73.gcp.gvt2.com | udp |
| PL | 34.0.245.166:443 | e2c73.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | beacons3.gvt2.com | udp |
| GB | 216.58.213.3:443 | beacons3.gvt2.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 166.245.0.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.157:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 157.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.126:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 126.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.49:443 | wiznon.000webhostapp.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 49.145.14.145.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.74:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 74.145.14.145.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.225:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 225.145.14.145.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.72:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 72.145.14.145.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.50:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 50.144.14.145.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.241:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 241.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.222:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 222.144.14.145.in-addr.arpa | udp |
Files
\??\pipe\crashpad_800_MRODZXBLVCVNRSSG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1ad70578d85928dd4ed8954c04cb3950 |
| SHA1 | ec44e1dda30816a15b43ceef3b195cad5f8238e2 |
| SHA256 | 570b6b7730ff809e8afd84f32cb905d594aab685d9feaa490b2e025f48906cd6 |
| SHA512 | b7804c2f611ca6aa9ee822f5319530338de9e6c142337bd79db653f199ac0c38c44e55009e5496768fde2e2160b6941504d088219d3144834600d6c09834789d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f858f59b481179613c169fe3c4ce3bdd |
| SHA1 | fb51859864974d6a1b4b72e3947b9235ac8d81b4 |
| SHA256 | 77b361bc4cff94ae7922d1a8bb2a1080d85828ed7b04483d8e6273290fa78a45 |
| SHA512 | f6e2a17f86cb8d04aa7f734effe537d52f3a7c11efafb6c9a3b556f24372bb5b1e07be7e47ac5530023469907bc47e1151c08ed57256663aaf4d00226116bd72 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9569d45f631e484810d43ab912f8e407 |
| SHA1 | 25c504e6186792bacdc2e22d247e5da124154c2b |
| SHA256 | d44253fdfe2fcf81c9bf90a989db2d4de4f00c48eaced03385b1534e48994ff5 |
| SHA512 | 5e826353fbfb3ca86c4ab9dcd9a78b0a5ae1caf9aaf1941e6a128f3f56df82a36fd7e2bcbf886b910ec3cb7900e710829a19e90b328dd61af9d8706c29f68242 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0820b2b709b0f77be707b11aa30eaeb2 |
| SHA1 | ece968d673dd8d0bf145ce698f0995cac58257f9 |
| SHA256 | 9e772bddb0960ae387ea4145cabcad0a465e2ac2beaed8982c6c67b23117f498 |
| SHA512 | 0a1c1d4ae5270026b97cc0ec16a86f0c5ebfa5af599d480aea3cafac88f58eaeeb3dd802af93cb34e608f35b90737bead348b07390f8fef80491c266e4e89078 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c790983291210af3607f5964cd232fd1 |
| SHA1 | 8f8c5bf75aefa0b709431e9cb6dcec43238d9b57 |
| SHA256 | 22ee885cecb14f9bab059ecf483f2e8256d5a1985c8242e0bfb650cf19c690ae |
| SHA512 | ad0043a69be85c13f105db7de36f2921dadc88294e923188e0d3b0abc05404203eaf8bb848823ef95bd0c6338d09634a0c4db8702263c52d0e2d16be698b65de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cfaea1201ad530cfc63261b186df16df |
| SHA1 | 5ddb421536a9decef516b7968e8f620fd017c57b |
| SHA256 | 6e71f8e0030726babcaefccacb4116d8aadb511f0f8e1ca2a4f9028cf4c4ab7f |
| SHA512 | 2afac6a5fe1361dd25db9e8b516fcaf46a81ecaecf2b9ac2c73a13d6dfbce36606be4efe4806fe875a0199a6e71fa89b4d2bc7ac7c316b704a8e103522064443 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | a87e0ee49c6a8073c9d01f1b42fe0bcb |
| SHA1 | 5e6b6dc09cf64c518915b315da7ddcdbebd7173a |
| SHA256 | 2689a7194bfc2171f69825ea18b5b34786a72c03c9bd75513deb818e18f1b5e9 |
| SHA512 | 1055e1923d94a63ebaa36228c34ad3d239fcc53708059ecab303d6637e6d75bee503dd732795b43d9c8b0d844a4abb080d7a56e3e859ea7aeb66f048a1f10472 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59214a.TMP
| MD5 | 648b024a2ee417a6ea9fabd9de1de356 |
| SHA1 | 9ece8d0d26f823aabe19cfa6248c7a635b91c126 |
| SHA256 | 540f1d089b57239086f6d5f8de9a2c9cfc311fc2fc8c92150b560ba791a715dd |
| SHA512 | 4cf8c4ab350ae6bc99147b3f566c591a5905b48882e46f1dad7e0dd0c09de31dda0d5bba5a831932af51abdec369d234509de8a98e038ce555111b5b1fe7f81d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5598a2b191aeb28ad369a6f993f57864 |
| SHA1 | a6fc04bcc17fd85f6222ca662514eae7e12ab575 |
| SHA256 | b455606dc32215ea8b8695a25d3c3d7992070060d2dd2ea1e942e28b6c7c2526 |
| SHA512 | cc02343a9b878e176ed6e0e974d3ac3e39ecbdde6953f611883327492912fc44e8efce6cd0bb24266ef0708ba0ff460c075b8e597f759fba063b5399ab66b1eb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3dfcd3bd86f0807f7599b4ba72e433ed |
| SHA1 | caa8e9cca12063bcbf65dbac3b23a373e63e89c4 |
| SHA256 | ee519c2e47b38cd3428e95fa4f516768f3ed2bb999afd2eed98b192e8fd73a2c |
| SHA512 | 6689adc4dc4a612800b7d489609b388124a45d857d1b72caa2321b798ef4ae0507474cb990ba79ae3820d1249a5276ed0d3c7883bc05663f04ee6fa2946c88c9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 97f327c1338a0d819ffa5ab89257373e |
| SHA1 | f1f723d16f40de9305f6a8ee4a636f1822af155b |
| SHA256 | 1dc6dabe1e0dc072202680239d3545cc5048c3ce21b9e6c0bf49b70ad97d98c7 |
| SHA512 | ccf4e51854dff870b488123893882908a51619fa9e770908ab9ca77c8409effb3e293ec11ccd1a08e8ca9957d4b13e3894b3775478fe6369683887d92cf66c35 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | bea8ae528e4c5a644e8b90081d301ac9 |
| SHA1 | 417cea5248ba4de27c1f31de93ccae0c11be0538 |
| SHA256 | e79b8654c0460aaf0a5017b200fe5b772ae93c421701e1c6c655c7df060eeaba |
| SHA512 | 31ed61a2b628575d7a8a432f3a4d893b4b61ec1ec75642be0cba547f970a0f315d5f07c23d2d117a540247198251661a6a08167520054e702a1fe205517f1512 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 470c484d845a561382ae7553dcc8b10e |
| SHA1 | 59cbbaee65699e659c2f521c4fad454cc3c8d7af |
| SHA256 | 813d0ce04b5fa0d06065c490f24d61694747984eb736a017b62dcf24072c61c8 |
| SHA512 | fc75d51f0ddf4d552160560bddb233a115fe19d3a073518a690b3758c756bb5f80e63742dd94c0aeaae57ae664aa1a757f8e5cc45b6f6dbe5de31ffe4244e029 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fc0b31662894549daf7f7b2aca2f0dce |
| SHA1 | 81f1a5f5abce04b8672bd2650331db71dbb03f75 |
| SHA256 | 77cd047a1ce19188e5466465ce63fa62564fadcdc31a40ba5f1ee01c2a778284 |
| SHA512 | d63404c01b65475dad46a6bed932216108fa29be0efc000a67b201fd79668c16e52db1fc738f614fe43ab4f3967387cbcabd8a954504b2cad695f56ceb8555ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 003d6a4482bde946f714924858dfb464 |
| SHA1 | 3db60c25a98a513a4bd5c6af41a366d9a4e0e1e4 |
| SHA256 | f54b78473e596778d831b8b58de2c51b8173393737f8262c87c17fc9018ada85 |
| SHA512 | d32a829c27f70daea9a4d92d27d15d8f9418dc8fbd1a37b2ee2532466764ec277d8d4f9fde84b4b334e22446f78df3ec8622c4c2b9205dbfa20f765e28cda1a0 |
C:\Users\Admin\Downloads\WizClient.rar
| MD5 | 8c20b4eece51e9c8a4dab876cc9c9dba |
| SHA1 | a6176ec2bf842203667dbf5658d5dc524727c7a6 |
| SHA256 | 7bdd0af1bd40c6f7267a83218a882962067867e1a65a84e3ff1198f21b5a8baf |
| SHA512 | 7bfae6417fd3dd4b40d806eb2526826dbe23e0bb2e1e02a940f2a42ed3f0234263d6bcc307c3e88fb6e68f55ed354e4ef8eee8e18f85dd0e8a61d29efa56cc79 |
C:\Users\Admin\Downloads\WizClient.exe
| MD5 | 6f262adee7c149b7346d2d85087541dd |
| SHA1 | dcd1a1c19b41af259946654bf3b17bf4cf6d3466 |
| SHA256 | 55c9dc86e15768f647ca1f042c8786dee53387125f2f26e87c2ff0ebb42eb5e8 |
| SHA512 | e6e85b2fb893a7769519719c05c0ec2b58687e87bc9af1e564628aca3ceec3aef8092955e889ac687aef7f250bd937a4442c2153252a0aceee1b8daa7ceefbdb |
memory/3036-332-0x0000000000210000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1e561ad763ec7ef98a384c5486829ce9 |
| SHA1 | abbcd5583ac2668aae9765001ae78cc5b73be78b |
| SHA256 | 8b07561cbe089e053eee31df63dc2620e4e443190cc1efb48f5c3fdb72a81fd2 |
| SHA512 | 214e6b98aabc805773252a868257202082dec3b5c2f104f52d0275b84038aba82df1147dc8efdda884dfe6d4f402071e4d6352ebadd694bdcd5f117d6bed739d |
memory/2580-342-0x000001D0E1540000-0x000001D0E1562000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3khkchi.isp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
memory/2396-367-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-366-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-365-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-372-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-377-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-376-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-375-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-374-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-373-0x000001E705050000-0x000001E705051000-memory.dmp
memory/2396-371-0x000001E705050000-0x000001E705051000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk
| MD5 | ae567b6278ed0b0191179dd1bd37c5fe |
| SHA1 | 72f6e061d27d2964e5cd80700669c1c5c46ea4a9 |
| SHA256 | 41773ad30dec8ffdd8fa6bc9dbbac7b74e48ad591d85b5d79d51f18204af58bf |
| SHA512 | 3b1747fe9f4a2fa96b14c7f802debd6adcd22d57c4b6a5ccb8886a0fb97a1dec1ca3499689d9afbb9bad50ed80119eead801c3384970e27fa74fdbe46866ab2b |
memory/3036-400-0x000000001C070000-0x000000001C07E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 44abbd2c8223f68e184335c160e55e6e |
| SHA1 | 53735d4d00e6d073d89b357a4a3a536b95aa245e |
| SHA256 | 13268ace27340754e5c2cc04f72de572eb141b62cbdac339dcd99f8a40f88eab |
| SHA512 | 4304aa9f39053e90dc6928141be845439ee9ada430127930148ab1ab47cbfeb73a144dbb4b730e04ad21322c086147672c5b21ca3e96da16c70cb13e86be02cc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4515f4569ffce29b9c10e9baaada4347 |
| SHA1 | 7140adc7025d3de41b1b34a435abbdd0213de8ad |
| SHA256 | 356924712657f60304d21c9ae8210bcc9033ca6053298f1e9b094d42a6d71d96 |
| SHA512 | 4e14066577d0915b1a9d8d799302e0256d8681c120615164e5aaa882ba2122906e3827615dd2250207cc0cbbb18d4a95ae023523018acfb6fdc3293e827060cb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 05:46
Reported
2024-06-15 06:18
Platform
win10v2004-20240611-en
Max time kernel
1798s
Max time network
1801s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WizClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk | C:\Users\Admin\AppData\Local\Temp\WizClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk | C:\Users\Admin\AppData\Local\Temp\WizClient.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe" | C:\Users\Admin\AppData\Local\Temp\WizClient.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WizClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\WizClient.exe
"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
C:\ProgramData\WizClient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.161:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 161.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.23:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 23.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.126:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 126.144.14.145.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.186:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 186.145.14.145.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.39:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 39.145.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.210:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 210.145.14.145.in-addr.arpa | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.192:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 192.145.14.145.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.50:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 50.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.31:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 31.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | programme-garden.gl.at.ply.gg | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.222:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 222.144.14.145.in-addr.arpa | udp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.19:42957 | programme-garden.gl.at.ply.gg | tcp |
Files
memory/3736-1-0x00000000003D0000-0x00000000003E4000-memory.dmp
memory/3736-0-0x00007FFA5B443000-0x00007FFA5B445000-memory.dmp
memory/4020-2-0x000001D0A9170000-0x000001D0A9192000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgzxogl5.pvp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4020-12-0x00007FFA5B440000-0x00007FFA5BF01000-memory.dmp
memory/4020-13-0x00007FFA5B440000-0x00007FFA5BF01000-memory.dmp
memory/4020-14-0x00007FFA5B440000-0x00007FFA5BF01000-memory.dmp
memory/4020-17-0x00007FFA5B440000-0x00007FFA5BF01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\ProgramData\WizClient.exe
| MD5 | 6f262adee7c149b7346d2d85087541dd |
| SHA1 | dcd1a1c19b41af259946654bf3b17bf4cf6d3466 |
| SHA256 | 55c9dc86e15768f647ca1f042c8786dee53387125f2f26e87c2ff0ebb42eb5e8 |
| SHA512 | e6e85b2fb893a7769519719c05c0ec2b58687e87bc9af1e564628aca3ceec3aef8092955e889ac687aef7f250bd937a4442c2153252a0aceee1b8daa7ceefbdb |
memory/3736-49-0x00007FFA5B440000-0x00007FFA5BF01000-memory.dmp
memory/3736-50-0x000000001BA30000-0x000000001BA3E000-memory.dmp
memory/3736-51-0x00007FFA5B443000-0x00007FFA5B445000-memory.dmp
memory/3736-54-0x00007FFA5B440000-0x00007FFA5BF01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |