Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:41

General

  • Target

    WenzCord.exe

  • Size

    3.1MB

  • MD5

    f21aa436096afece0b8c39c36bf4a9ab

  • SHA1

    976b74c6a4e59e59a812c06032aae71a0516236a

  • SHA256

    43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

  • SHA512

    44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

  • SSDEEP

    49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

C2

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes
  • encryption_key

    985DB7D034DB1B5D52F524873569DDDE4080F31C

  • install_name

    WenzCord.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update.exe

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\WenzCord.exe
    "C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1828
    • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3640
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Myzzt5GhEHDE.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4332
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:380
          • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1684
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2152
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOPBVloFfpY3.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4020
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4236
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1464
                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3472
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4480
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4VuKhIhPbeay.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3408
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2072
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:872
                      • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1128
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4756
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Crt5fOh39Xd.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3068
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3340
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3536
                            • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1356
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5016
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3z9KvMhrgY3.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3624
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:3956
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:4948
                                  • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:3492
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2424
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SV5MQ65lgBRL.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:5020
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:3620
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:924
                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3028
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5028
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lY5TyXMKWOjr.bat" "
                                            15⤵
                                              PID:5040
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:2304
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:4852
                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1436
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2072
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tlFMMFsetEbz.bat" "
                                                    17⤵
                                                      PID:2876
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:1836
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1112
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4532
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:456
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TVYmvHEPEivM.bat" "
                                                            19⤵
                                                              PID:1488
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:4296
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2884
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1756
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2632
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2WD79luTW3TV.bat" "
                                                                    21⤵
                                                                      PID:4908
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:4336
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:4948
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1576
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:5048
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uA6G2GoStdg5.bat" "
                                                                            23⤵
                                                                              PID:64
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:2348
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:2168
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:3304
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:220
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I1Y7wvCP7tHO.bat" "
                                                                                    25⤵
                                                                                      PID:4268
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:2772
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:3064
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:552
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:348
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YieHjeGPVP1I.bat" "
                                                                                            27⤵
                                                                                              PID:4292
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4552
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:5116
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:3808
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2876
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7JbNPUjDasLM.bat" "
                                                                                                    29⤵
                                                                                                      PID:4532
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2636
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:540
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:672
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:3988
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGccZb7whwQH.bat" "
                                                                                                            31⤵
                                                                                                              PID:2700
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:2608
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:3532

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WenzCord.exe.log

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    baf55b95da4a601229647f25dad12878

                                                    SHA1

                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                    SHA256

                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                    SHA512

                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  • C:\Users\Admin\AppData\Local\Temp\2Crt5fOh39Xd.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    63b75612cf802786b4083118b2ddd261

                                                    SHA1

                                                    245846e142a8834565d6e850100e1865fe965efc

                                                    SHA256

                                                    4b3d3c8e84d0c55f42758bfe8982416280ac7fa16e2da7168775f08f7a5b554c

                                                    SHA512

                                                    0c04f597fba7229be6bfadbd979f59e469bfcfe3ebd5694c49cfe7a64f7fa541d59bb91704a37bbbe2b950552263e7608a4c4981e38524b72f55998afac3f61b

                                                  • C:\Users\Admin\AppData\Local\Temp\2WD79luTW3TV.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    ab08b2db251af267e3aee18916d719f4

                                                    SHA1

                                                    9375d4b80a1a7c3ec5c0c4ea4f4874caecb9a31c

                                                    SHA256

                                                    af9ab12faaa26db04fc337765d47000c2e996c024065aaf4bf119e43b73d1fd8

                                                    SHA512

                                                    56584f3fa1a68f31a4086babd396c3f0d89f43cb8ad16c4f5080c1a05965b3caed9cca15844a66e7884170a8ef9d2adb6abe0078a8155693d27384d93813358c

                                                  • C:\Users\Admin\AppData\Local\Temp\4VuKhIhPbeay.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    3b0774f82b690fbce477d7229ea1c9a5

                                                    SHA1

                                                    5826a488f6ff69c4620ba5546e1d3a04f32c5fcf

                                                    SHA256

                                                    be018832689c687c756fffddfcb0d38c9ebbc4441817f402c8c5f5413f6b167e

                                                    SHA512

                                                    5d8524b13b0a1167a67eb67e93ca8adc9faa31efac808ad161b542d99442fc450de159964f014fbae598efb834f98b0dcb31927f94ee0e8518f7508d5ef83b67

                                                  • C:\Users\Admin\AppData\Local\Temp\7JbNPUjDasLM.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    be8c84589970ec8a826f0c5dad1672f1

                                                    SHA1

                                                    7804554301498b214a56cc63c19143f4d63714f4

                                                    SHA256

                                                    e9090a0c54708b73f09081422c7bca211f3a0decc732de13c2de3322158ff166

                                                    SHA512

                                                    62904a690a0e8630aece325c6b022bfb95eede92ca732fed293e9b707e1dc34d831840541e42daa6329a0f7d4ba1bce3720793786ec8ff266a27f9e5c359db82

                                                  • C:\Users\Admin\AppData\Local\Temp\G3z9KvMhrgY3.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    a43ccd10960e73e6889b898922086f09

                                                    SHA1

                                                    3e8d3af231f452bf01c3c00c85cd0a28caeda230

                                                    SHA256

                                                    a5843c835eade76931955a49bda5a5b5033b8154a8d44f3d8633c346a637e53a

                                                    SHA512

                                                    674b22c18ea51a3f089ddc97af6fbf6d8d7a1658632b5722bebff9d393df7532e6535af14ecc608751a46b396312766585275a18c0a64efd924ad68a6377e014

                                                  • C:\Users\Admin\AppData\Local\Temp\I1Y7wvCP7tHO.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    ec740df0057fc8da5a2797d655dabfe7

                                                    SHA1

                                                    700014a557cc33efecd66f4ec602e2c3dfd36fc2

                                                    SHA256

                                                    2196e40cbb4948d194d3346f32c74f49641284f98b9c716384b24d6aef49ea55

                                                    SHA512

                                                    ebc4b63ba50b2f67777e6ca0ea2d2493d83236ac300e8e113d169d6784d64af471c3fac4201c143491fce35e2d561a4ad01724a093f9ac10323fc78865df9062

                                                  • C:\Users\Admin\AppData\Local\Temp\Myzzt5GhEHDE.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    7698e9a6c5ede5b0f5f09c53abf572e5

                                                    SHA1

                                                    aa45cd9ade4b9a029fe8d9d0573df6be4102cf42

                                                    SHA256

                                                    acacac8cb789601a556fa14415f03ca0fdb77563461e1dfca30104d4685888d0

                                                    SHA512

                                                    ccd49fcb791b2e503ec7706ebf307224376f92ef0b0aa97c77f9c4aa679d3ca0cea2cbc60ec9acc44412de0dada0e3ac8bed3dbb85ffee249c904ca79daf7857

                                                  • C:\Users\Admin\AppData\Local\Temp\SV5MQ65lgBRL.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    1f52b4a9119d472d0ad72820df3e4213

                                                    SHA1

                                                    8fc76e35caa52491cec30b4c53669aa117952546

                                                    SHA256

                                                    b658b4f3f60157f34d9abf83b17ee9ca1b887da5fa0b24c1bc5a70a5f23dc71a

                                                    SHA512

                                                    4e94215b98b46a3799c87a68d6d5cf1ea9f7f0100e87919ec1a208b3bc1550d8e6042b9efa9a930811bb6f844a9abbee4131c098e473b577084ff94a9754109e

                                                  • C:\Users\Admin\AppData\Local\Temp\TVYmvHEPEivM.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    5f372269ed15df54c97d52a79d36cc4b

                                                    SHA1

                                                    5de0f4e2f8139aa55806014f50a3f36986a17293

                                                    SHA256

                                                    5db806484485569e81826cd5f48b6530f60e5ee1da8d1895156fd04ee9d8c457

                                                    SHA512

                                                    057f2668672b35888d17f7035240a119b4e2de5b729ccf88fbca41c1e5be460f7297b07b651e6b4c6aa6664f537c778f2fbb530b09a61e4c6e266214da6b5c24

                                                  • C:\Users\Admin\AppData\Local\Temp\YieHjeGPVP1I.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    5ff65acba737bc4e24352835ac431a0d

                                                    SHA1

                                                    3d3dca1ffcd8ef1242aed7da5ebcc5e088934697

                                                    SHA256

                                                    debc19e9c15f5d92b3d031b6fa593d4e0dd5bd25a8658887d440dae3d25f3776

                                                    SHA512

                                                    d01c6bc33b5dd78e53753ecfb3df8a9ff5bbccb3a026edca8e2e987e5a62ce2f77918fc5a73e6c4a041c665de40baf25908109e10fe9bab99bf7e4484244972b

                                                  • C:\Users\Admin\AppData\Local\Temp\lGccZb7whwQH.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    0989ae191ef0fb17823f01a222a95017

                                                    SHA1

                                                    e8968847c1d9d5f76df5797b70c24fdf40485ea2

                                                    SHA256

                                                    db57893114a3e09ce735e9d77ae37221ed3dd43384b0756d7d7e850129682881

                                                    SHA512

                                                    69e9d122b428002dea19ee94233bfe4aacd61209e00a3afaf73763d55a391706d6fad1631a5f5e2d67da0730eda3827974a16f1430d618aff61723997b96910d

                                                  • C:\Users\Admin\AppData\Local\Temp\lY5TyXMKWOjr.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    c8e5ad913a4b6417692ba5f644533b87

                                                    SHA1

                                                    c1ee6aef38e0063845792067bf4ca3395bcfa332

                                                    SHA256

                                                    5ffc1f832cb15a73676cba314b0eab0a8254879dd26b302db24f4f0606e84290

                                                    SHA512

                                                    e688f1ccfe8407dea88e15323d1a4fb71eb2f81222b8cad8e8c4638692734c9bbab182bc233283b54755a6b4fdc12372cb81a039ffd725a1b439509191e825c7

                                                  • C:\Users\Admin\AppData\Local\Temp\oOPBVloFfpY3.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    7fa5159c5641f61dde349c9182fe89e7

                                                    SHA1

                                                    fd36921b903144f068459a6a8cccf8440c931606

                                                    SHA256

                                                    5eb1698ace21b47467a71f25c75509a5fd97587d51318040d1d8c1c464ed638a

                                                    SHA512

                                                    ccb1fc01b101b5f563e0fe22dceea81ef9ed51fb0ea59681d875cb00175753fa02908e08ab88812d6463ca2f14a196cccf3368849c91e928bd49e0f5f67ba9ff

                                                  • C:\Users\Admin\AppData\Local\Temp\tlFMMFsetEbz.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    bf17eec089ca586353280027e373bc9a

                                                    SHA1

                                                    a8425649e7575a52900b8f4d5e7c7afec8e881ed

                                                    SHA256

                                                    49d66856c98eafd2f3f52f9823cdb7b124ebc6401e1c660238872d4febbb0984

                                                    SHA512

                                                    919d217c6f923d9f39acafa7e84d4d38ac019d98a7a97b857926d8dbf33e344828a4f8d9438c8a958a300e24a9d1542a045e289438d9df2e8ee12a3ebbc2c6ce

                                                  • C:\Users\Admin\AppData\Local\Temp\uA6G2GoStdg5.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    e73d2991f568a461eaccf9da3f976bb9

                                                    SHA1

                                                    e26913a4d524d19ee353767a54725cd90686ea18

                                                    SHA256

                                                    bf182dd000b1d0181802db89079598950f94b66b04321ce03112684b7fc2cdfa

                                                    SHA512

                                                    e3a036dd360a6891eefb495f214c8af8f7850ce50b30cd7794f02d41fb90e63c429ab74fad82bbb984b6b435da71f5fd821b77b60b759fda34f58032cad287d9

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    f21aa436096afece0b8c39c36bf4a9ab

                                                    SHA1

                                                    976b74c6a4e59e59a812c06032aae71a0516236a

                                                    SHA256

                                                    43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

                                                    SHA512

                                                    44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

                                                  • memory/1812-19-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1812-14-0x000000001BFD0000-0x000000001C082000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/1812-13-0x000000001BEC0000-0x000000001BF10000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/1812-12-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1812-11-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3612-0-0x00007FFA96DC3000-0x00007FFA96DC5000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/3612-10-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3612-2-0x00007FFA96DC0000-0x00007FFA97881000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3612-1-0x0000000000C80000-0x0000000000FAA000-memory.dmp

                                                    Filesize

                                                    3.2MB