Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 06:50

General

  • Target

    WenzCord.exe

  • Size

    3.1MB

  • MD5

    f21aa436096afece0b8c39c36bf4a9ab

  • SHA1

    976b74c6a4e59e59a812c06032aae71a0516236a

  • SHA256

    43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

  • SHA512

    44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

  • SSDEEP

    49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

WenzCordRat

C2

nickhill112-22345.portmap.host:22345

Mutex

7ee1db41-359a-46b2-bba3-791dc7cde5e1

Attributes
  • encryption_key

    985DB7D034DB1B5D52F524873569DDDE4080F31C

  • install_name

    WenzCord.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update.exe

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\WenzCord.exe
    "C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4356
    • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2112
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RXVkXMSnJnxb.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:232
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2372
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4720
          • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1584
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1820
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a6PWTbh62SmY.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2876
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:448
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1408
                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:5028
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4468
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSy5JWCTx03X.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5112
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2136
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1340
                      • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2540
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1608
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVxVVIYMZdeC.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2336
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3932
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:432
                            • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4748
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1884
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TI6kScZauijy.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3140
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1996
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:3916
                                  • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                    "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1368
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1584
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9J5xpIXuBKt.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:540
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:5004
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:1548
                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2500
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3624
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAwhcBnugZF0.bat" "
                                            15⤵
                                              PID:4468
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:3060
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3300
                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3084
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1624
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d3hj6yLp92fL.bat" "
                                                    17⤵
                                                      PID:2920
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:4704
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:1816
                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3588
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2112
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMIwI4OmjN1i.bat" "
                                                            19⤵
                                                              PID:1440
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3676
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2968
                                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:728
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2248
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TnTpeqiNPk6I.bat" "
                                                                    21⤵
                                                                      PID:2832
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3660
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:3900
                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4332
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2276
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1lGN4UIMubx.bat" "
                                                                            23⤵
                                                                              PID:4636
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3396
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:3908
                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2952
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4288
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QLh5YgD9iHLa.bat" "
                                                                                    25⤵
                                                                                      PID:904
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:3444
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:3652
                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4388
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:868
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqdceIcJ0OAE.bat" "
                                                                                            27⤵
                                                                                              PID:1964
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4764
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:4672
                                                                                                • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2964
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:976
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAyatYegyG5e.bat" "
                                                                                                    29⤵
                                                                                                      PID:3932
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2660
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:4708
                                                                                                        • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:772
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:3744
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tRqlZ651AjP8.bat" "
                                                                                                            31⤵
                                                                                                              PID:4720
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:1576
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:5012

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WenzCord.exe.log

                                                    Filesize

                                                    1KB

                                                    MD5

                                                    baf55b95da4a601229647f25dad12878

                                                    SHA1

                                                    abc16954ebfd213733c4493fc1910164d825cac8

                                                    SHA256

                                                    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                    SHA512

                                                    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                  • C:\Users\Admin\AppData\Local\Temp\A1lGN4UIMubx.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    f0cc1099ff52507040b166a5f7d754bd

                                                    SHA1

                                                    1600f6ce97d37172a5f23d2f467d167f03e2eb90

                                                    SHA256

                                                    7d12fa8ee70895039fb77d0ae832b1cd0d512dda2e119d882b0c750bc8da50e0

                                                    SHA512

                                                    5070cdb6a1694b480b4ff46b71a61a58daf72be3865b512de69ce5b1e9c08a74fca83732795ca2165699b0e8d1b774acabbdf1c6bcc650dde430228f05ce590d

                                                  • C:\Users\Admin\AppData\Local\Temp\BMIwI4OmjN1i.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    5918babd7269980731801c40592faed8

                                                    SHA1

                                                    b09916f04dbdbe4ffbea9e11532fec6b68ac9e30

                                                    SHA256

                                                    935a0296743afe2a25bcb2e95daa62627d46466767e3a3b352dd16668f9a8930

                                                    SHA512

                                                    bfeb6740168a2cc79e924e2086bef4b149dc0a2eb2be0ad5df25b6af2da7661abcdb44bb0c0ceb20b03459999b1564ed02c924c66299bf78f957d696210ca23e

                                                  • C:\Users\Admin\AppData\Local\Temp\DSy5JWCTx03X.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    d4fe3710f5988a3126033f5928e2c566

                                                    SHA1

                                                    f76bdb73ce5fc24c82abb2e6e0ab940b8ae77e39

                                                    SHA256

                                                    0c0f5b1d937243b948a9b6d81834c5360acf81ac0b1b2a70eaf234a20295fc39

                                                    SHA512

                                                    f3c43fdcb968281964ad8f58066732ec6b08c44c2442eae181803b1274ed79adcb65ee38d9f12b16dfb47ac0ccbde6bad86cf38550363884c0c67ed7d36b118a

                                                  • C:\Users\Admin\AppData\Local\Temp\HAyatYegyG5e.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    84db2256ed431c0ad91bb10c054f1126

                                                    SHA1

                                                    3aedb244b2bd494e915c4ff5e22bd76a3c054662

                                                    SHA256

                                                    0ad368686ab6838a1f0ce871f8f0341309e66bdf3f70b30d70a7f0ba510c243c

                                                    SHA512

                                                    f4cf5ee7b3691400bc36728e218f1788aca488d53ed33d76a79be6c534d00c99f9485794b3b217982527db85bfe8ca925ad4555f7e543d420d284ee8fedcdcd0

                                                  • C:\Users\Admin\AppData\Local\Temp\KVxVVIYMZdeC.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    86aa02531520206bbc6bf46686f1d081

                                                    SHA1

                                                    cbca48d7e7cdce709ee27e0212d3a3b38c6f9624

                                                    SHA256

                                                    9deca87ebaccb8a25519336febcbdd2f02bcba077f9b905cdd92d69fbb808421

                                                    SHA512

                                                    35ec3af95c0c219f45bd2c3d1b07c5a331398414a5ed13b47f6399e87d174f7bdcf9f3449d35302f7d277efb827de33e18681677644e3ff7c58d8925a6cac8c3

                                                  • C:\Users\Admin\AppData\Local\Temp\PAwhcBnugZF0.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    21cb5aa777151b16f2955c91a492f0d4

                                                    SHA1

                                                    57550fb1f4ec8b256a58d2cc08a2eaa81e82b3df

                                                    SHA256

                                                    ca091bfcd5ae0a3f6fc5bab70a372bad8ba52a49f7605b155bda7778851d4070

                                                    SHA512

                                                    38f7d827e480da635acc5f94f8e32f6b45ac1182ceab2e2da1772d5ada3ae6939b546884d01d9d5cf1a10006a36c278d2356e47df80ebdb4c2fb971e37f0bedb

                                                  • C:\Users\Admin\AppData\Local\Temp\QLh5YgD9iHLa.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    fb6b7790735b115696c5b2a81f790524

                                                    SHA1

                                                    e9d82a5d9d89c49e6b9437d6dd607cf5dd8324ee

                                                    SHA256

                                                    4b09b900d898b7a36226d7cb795cb5239c8455b7dcd40d91c4eb86ee54a46a45

                                                    SHA512

                                                    102373836fc170b53508b0429b2896b40413e12afec72e80ad7d3db39881214834d623358ce0504cfd5e5a2174ca8d2d8869055d7a1ad34b3e6492d1a62d34ca

                                                  • C:\Users\Admin\AppData\Local\Temp\RXVkXMSnJnxb.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    fc5578a23cd959566ed512fa571af245

                                                    SHA1

                                                    0761cab1a9b2ac7543f1d37f3f7bd3f4331c8d43

                                                    SHA256

                                                    d53d0625b2ad6ce9fe2e651a764c6f653aca026411027145896ca8d572a3c44e

                                                    SHA512

                                                    177f27091d36ff866dbed34de808089cc5c95b496e5ac354feb87f05a88093fac12e22c29ae9a4b44f17ae908154ea9bb4fb8c0d7ebb5b7092074c22cbe87e26

                                                  • C:\Users\Admin\AppData\Local\Temp\TI6kScZauijy.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    11defde70c68312b30a30a7727dbd1a4

                                                    SHA1

                                                    5e5a65c4dd1762cfcb251c1899650fa6ceb40958

                                                    SHA256

                                                    90727aef52424b1ce97f3e262cb72ed93c01aeb02a67dad422fb5184e064c6e9

                                                    SHA512

                                                    a033f2bd29ae6a264e21108ee8cb1dcd95ff7ade9ddb665f83df88e9c75826877581f04bd4e5b3b794437b33f231cd06281461f2415cdd248710a5fba8db50dd

                                                  • C:\Users\Admin\AppData\Local\Temp\TnTpeqiNPk6I.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    73adfb1b8d15f8f38ac06cfd365e294e

                                                    SHA1

                                                    32d781796e4f8c111511141187011acbb0b87e9e

                                                    SHA256

                                                    81c31739f1d92a89a0dc6257a3ec478cf4c2d81b4acf786bffc472b9c2f7d4ff

                                                    SHA512

                                                    cb613740833546a01c1ef099804eb63cd851549488bc9559900c4cd7ccdd4f10829efdd8b67caeac1cb9c163c475c09686a55000ddd0bc41f2f638176dc2d5eb

                                                  • C:\Users\Admin\AppData\Local\Temp\a6PWTbh62SmY.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    6e91afbb93ad3d2259c2c6669049df95

                                                    SHA1

                                                    00d59800092d25d1822bab745e1feb49ca53153f

                                                    SHA256

                                                    72f403787c6a2e7848f88f108b1660e5e1a2426b93f8304a3883691ce2692aab

                                                    SHA512

                                                    d48a4e8613fd7d48444604ee1b7064d1b916b31c2287cd2497082b878e80b4d38b2cefa34f9fc53704c067943c648f4a1acf45388199acfafdb667489fb1c2d7

                                                  • C:\Users\Admin\AppData\Local\Temp\d3hj6yLp92fL.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    fe080b6be040ca4329b4e9eeec869408

                                                    SHA1

                                                    c205d3b2b859f3e0034ecc2342a874d98ffb35f8

                                                    SHA256

                                                    40e312bff7be22d048623f558c553a6bee796915d0bd9585dcdea173b537d4bd

                                                    SHA512

                                                    09eb2fb2beea26408589baabc1ddfe43f732ce475cf13e3f4a10057814e982cdad9a651b39a7fb21fe411e053e26d85be16933908506f4f3ee94e84d9b67e953

                                                  • C:\Users\Admin\AppData\Local\Temp\lqdceIcJ0OAE.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    9a423d8339c837684f49cf5e59fb9d59

                                                    SHA1

                                                    2223f6d7dd2b07e75782a1a7bfbd713c3d7b7d8a

                                                    SHA256

                                                    a9c2827f4851739dfe18e49d6700526739051f027a7d8d396974d38379de9b4f

                                                    SHA512

                                                    5cd959ba357ed301c6af0cbb141e630ba722853621ccd2f232eedea04035914edc8f01f5b83d89c4cd72036a5e15d6fa33562f08bd9638e9506107f0f54473db

                                                  • C:\Users\Admin\AppData\Local\Temp\m9J5xpIXuBKt.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    42f3b3c362bfee75f7e43a9d3c99f052

                                                    SHA1

                                                    30f7a73a8fe3ddae83b73f25e2d97d6c83fceede

                                                    SHA256

                                                    9c47191ab4bc9c66f8e4836a9d0ed2174ef685b5b28a6e5b822cd261bfe1b39b

                                                    SHA512

                                                    6a0317f95cbb95ba5b52cdeac588955a122ade830261f2db27b5e01b7dfcc1b79b3ba03139a5e9f7a9619a1727962adff6d910f2f466ecbc394e1b7067c77ef6

                                                  • C:\Users\Admin\AppData\Local\Temp\tRqlZ651AjP8.bat

                                                    Filesize

                                                    209B

                                                    MD5

                                                    a53f236a453aacf7dca207e69270f6fa

                                                    SHA1

                                                    a50b2f394248bf3971976088b3868ccb3071cdeb

                                                    SHA256

                                                    6c5a00b948d5ecde191fe7e446742795fde1d6d76354040ef366f1cb45ebd60e

                                                    SHA512

                                                    f9ca937efbd696ad50a47b36cac55d0a078ccdcc842490fe4a7f8b076cf359c60ed9c166b5c1601d7be6ab907380281e8d632a497108543807f3d46426ef9480

                                                  • C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    f21aa436096afece0b8c39c36bf4a9ab

                                                    SHA1

                                                    976b74c6a4e59e59a812c06032aae71a0516236a

                                                    SHA256

                                                    43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10

                                                    SHA512

                                                    44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b

                                                  • memory/4420-14-0x000000001C150000-0x000000001C202000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/4420-13-0x000000001C040000-0x000000001C090000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/4420-12-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4420-19-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4420-10-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4812-11-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4812-2-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4812-1-0x0000000000F20000-0x000000000124A000-memory.dmp

                                                    Filesize

                                                    3.2MB

                                                  • memory/4812-0-0x00007FFE57F93000-0x00007FFE57F95000-memory.dmp

                                                    Filesize

                                                    8KB