xworm | 74e0935e8ae394bc11ae15b98dbdd63301de4eab026544d930d0ebe91d2ddfbb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm v4/WizWorm.exe
Size

14.3MB
MD5

0d7b4b1882f63bdd50b95c566d71ae14
SHA1

fd44458018d9ba5beee8a67b7f22bb5c6e1f850d
SHA256

4a095cf379d66c7123416fec489a8ef6b767fec71959e13714127d6c3bb41c06
SHA512

97ad65c805be31d1d530077b4736ff4c844c51a2d4550e856933f08a328e4c74ecef7e22040a27e9a03509170c4bc780e26b0389cb57385d5217f56d68a7aeda
SSDEEP

393216:q3vfM+4csPWDxmpDz05h8HpCLemOEkHh1og2CrVJCmvT:q3vfM+4cVm25hspRmIAWvH

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:5552

Mutex

MNdMde9kZ2Fr79GR

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023da9-37.dat	family_xworm
behavioral2/memory/4396-40-0x0000000000010000-0x000000000001E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
4396	WizClient.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WizWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WizWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WizWorm.exe

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000003f3cdfdb4c81db016d6426175581db016d6426175581db0114000000	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WizWorm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WizWorm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WizWorm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WizWorm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	WizWorm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	WizWorm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WizWorm.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	WizWorm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WizWorm.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe
3696	WizWorm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3696	WizWorm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE
Token: SeDebugPrivilege	4396	WizClient.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3696	WizWorm.exe
3696	WizWorm.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3696	WizWorm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3696	WizWorm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 4476	3696	WizWorm.exe	109
PID 3696 wrote to memory of 4476	3696	WizWorm.exe	109
PID 4476 wrote to memory of 4252	4476	vbc.exe	111
PID 4476 wrote to memory of 4252	4476	vbc.exe	111

C:\Users\Admin\AppData\Local\Temp\WizWorm v4\WizWorm.exe
"C:\Users\Admin\AppData\Local\Temp\WizWorm v4\WizWorm.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ibg1qcj\5ibg1qcj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9000E77739184BD38B36FAE838D6CAE6.TMP"
    3⤵
    PID:4252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Users\Admin\Desktop\WizClient.exe
"C:\Users\Admin\Desktop\WizClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ibg1qcj\5ibg1qcj.0.vb

Filesize
73KB

MD5
b3a52dfc291ee9a64f0c0349ed88eeb1

SHA1
a61fa80d049c4449bf1e075328c329608e473b85

SHA256
8258716ddc220f4e066adb41bd6bbec6359ed42b31242210a21fc36555ad5bc7

SHA512
c0ffbd2f578522a865bcc7c78dff396516e3083ba92acba7de504b32dbf3211ed81da8248320e4bf862f78413de27e6aa2b4d49a3724244e6c32bc08c5991a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ibg1qcj\5ibg1qcj.cmdline

Filesize
292B

MD5
4a3c9b96e864b9f08d8bceb25525fbd4

SHA1
5bf44709d7fde003eda1bebdb51ab42e93946df1

SHA256
b977ebdbe986db9e2e372b7c458d258162522786c01e38aeebf712770b2c8b65

SHA512
096719119eeda4d40f1ae72511814432a3170b7b5305c15cd92c723142f293b468b907a0d8fc99dd1933efbd7850c68c00830d25d40a94e6594c5f13c132d1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24B5.tmp

Filesize
1KB

MD5
b02c6b80741f998eeafcf712f46ba961

SHA1
de2359633672f20ba51b2a1779bf8f7d9b96aaea

SHA256
f484de38c926f538665121a70a27fb74a0d855844b35a27c2e1ccec749cff48f

SHA512
29811f041481f543422b9e622db428b6735fa8178bca0e735ff0327866c28607264f29b50a44e67bb835a31ad331e0c6bb3d83dd21ad3663cbd6f2b73f6788b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9000E77739184BD38B36FAE838D6CAE6.TMP

Filesize
1KB

MD5
85d473aaafaeafa39833a0adf1902ab4

SHA1
fd63bebbbbcc47d55520acc72548f78e8d6c4784

SHA256
9a8f53996a1dd339db9f03cf68a73abb1a80a7b09c2afc0a9f72b243a44256fb

SHA512
e6807073fffb95411365ee03fdaab041e7c91955361576e732595396f7b78606982bb4ac48e17a76d0f3812a125bb1e0aa9b3634e64d17eb0f336681246ea8d6

Download Submit
C:\Users\Admin\Desktop\WizClient.exe

Filesize
30KB

MD5
9feffe5c04a6b9f082c862665ff6915a

SHA1
8cd2c3f85c7627f64877f264494eb1e1d16a859a

SHA256
63d774998b76398a1faedd6fcffc6f834c2d7bf46766e0eeed1cc38a3c6409c2

SHA512
348312e9b609d8f701bd5faa9640051159ee34f80f31536b851ad5ecc09d1de7bf6af79811de5ca5a2b2b5099fe7c75b592f91742900fbd4603c1d268a4a5079

Download Submit
memory/3696-9-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-21-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-0-0x00007FFB572C3000-0x00007FFB572C5000-memory.dmp

Filesize
8KB

Download
memory/3696-10-0x000001F5C95F0000-0x000001F5C969A000-memory.dmp

Filesize
680KB

Download
memory/3696-11-0x00007FFB572C3000-0x00007FFB572C5000-memory.dmp

Filesize
8KB

Download
memory/3696-12-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-13-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-14-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-17-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-18-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-19-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-6-0x000001F5C56D0000-0x000001F5C58C4000-memory.dmp

Filesize
2.0MB

Download
memory/3696-22-0x000001F5EBB90000-0x000001F5EBCF8000-memory.dmp

Filesize
1.4MB

Download
memory/3696-5-0x000001F5AB8B0000-0x000001F5AB8C2000-memory.dmp

Filesize
72KB

Download
memory/3696-4-0x000001F5AB910000-0x000001F5AB96C000-memory.dmp

Filesize
368KB

Download
memory/3696-3-0x000001F5C41E0000-0x000001F5C53D2000-memory.dmp

Filesize
17.9MB

Download
memory/3696-2-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-1-0x000001F5A8D20000-0x000001F5A9B7E000-memory.dmp

Filesize
14.4MB

Download
memory/3696-38-0x00007FFB572C0000-0x00007FFB57D81000-memory.dmp

Filesize
10.8MB

Download
memory/3696-43-0x000001F5EBE60000-0x000001F5EBEE2000-memory.dmp

Filesize
520KB

Download
memory/3696-41-0x000001F5EB8F0000-0x000001F5EB91C000-memory.dmp

Filesize
176KB

Download
memory/3696-42-0x000001F5EBFF0000-0x000001F5EC2D2000-memory.dmp

Filesize
2.9MB

Download
memory/4396-40-0x0000000000010000-0x000000000001E000-memory.dmp

Filesize
56KB

Download
memory/4396-44-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download