Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:50
Behavioral task
behavioral1
Sample
WenzCord.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WenzCord.exe
Resource
win10v2004-20241007-en
General
-
Target
WenzCord.exe
-
Size
3.1MB
-
MD5
f21aa436096afece0b8c39c36bf4a9ab
-
SHA1
976b74c6a4e59e59a812c06032aae71a0516236a
-
SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
-
SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b
-
SSDEEP
49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O
Malware Config
Extracted
quasar
1.4.1
WenzCordRat
nickhill112-22345.portmap.host:22345
7ee1db41-359a-46b2-bba3-791dc7cde5e1
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
WenzCord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4812-1-0x0000000000F20000-0x000000000124A000-memory.dmp family_quasar behavioral2/files/0x000b000000023b71-8.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WenzCord.exe -
Executes dropped EXE 15 IoCs
pid Process 4420 WenzCord.exe 1584 WenzCord.exe 5028 WenzCord.exe 2540 WenzCord.exe 4748 WenzCord.exe 1368 WenzCord.exe 2500 WenzCord.exe 3084 WenzCord.exe 3588 WenzCord.exe 728 WenzCord.exe 4332 WenzCord.exe 2952 WenzCord.exe 4388 WenzCord.exe 2964 WenzCord.exe 772 WenzCord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3300 PING.EXE 4672 PING.EXE 4708 PING.EXE 1408 PING.EXE 1340 PING.EXE 432 PING.EXE 3916 PING.EXE 3900 PING.EXE 3908 PING.EXE 3652 PING.EXE 4720 PING.EXE 1548 PING.EXE 1816 PING.EXE 2968 PING.EXE 5012 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1408 PING.EXE 432 PING.EXE 3916 PING.EXE 1816 PING.EXE 3900 PING.EXE 5012 PING.EXE 2968 PING.EXE 4720 PING.EXE 1340 PING.EXE 1548 PING.EXE 3908 PING.EXE 3652 PING.EXE 4708 PING.EXE 3300 PING.EXE 4672 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2112 schtasks.exe 1820 schtasks.exe 1608 schtasks.exe 2276 schtasks.exe 868 schtasks.exe 3624 schtasks.exe 1624 schtasks.exe 3744 schtasks.exe 976 schtasks.exe 4356 schtasks.exe 4468 schtasks.exe 1884 schtasks.exe 1584 schtasks.exe 2112 schtasks.exe 2248 schtasks.exe 4288 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4812 WenzCord.exe Token: SeDebugPrivilege 4420 WenzCord.exe Token: SeDebugPrivilege 1584 WenzCord.exe Token: SeDebugPrivilege 5028 WenzCord.exe Token: SeDebugPrivilege 2540 WenzCord.exe Token: SeDebugPrivilege 4748 WenzCord.exe Token: SeDebugPrivilege 1368 WenzCord.exe Token: SeDebugPrivilege 2500 WenzCord.exe Token: SeDebugPrivilege 3084 WenzCord.exe Token: SeDebugPrivilege 3588 WenzCord.exe Token: SeDebugPrivilege 728 WenzCord.exe Token: SeDebugPrivilege 4332 WenzCord.exe Token: SeDebugPrivilege 2952 WenzCord.exe Token: SeDebugPrivilege 4388 WenzCord.exe Token: SeDebugPrivilege 2964 WenzCord.exe Token: SeDebugPrivilege 772 WenzCord.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4356 4812 WenzCord.exe 83 PID 4812 wrote to memory of 4356 4812 WenzCord.exe 83 PID 4812 wrote to memory of 4420 4812 WenzCord.exe 85 PID 4812 wrote to memory of 4420 4812 WenzCord.exe 85 PID 4420 wrote to memory of 2112 4420 WenzCord.exe 86 PID 4420 wrote to memory of 2112 4420 WenzCord.exe 86 PID 4420 wrote to memory of 232 4420 WenzCord.exe 88 PID 4420 wrote to memory of 232 4420 WenzCord.exe 88 PID 232 wrote to memory of 2372 232 cmd.exe 90 PID 232 wrote to memory of 2372 232 cmd.exe 90 PID 232 wrote to memory of 4720 232 cmd.exe 91 PID 232 wrote to memory of 4720 232 cmd.exe 91 PID 232 wrote to memory of 1584 232 cmd.exe 95 PID 232 wrote to memory of 1584 232 cmd.exe 95 PID 1584 wrote to memory of 1820 1584 WenzCord.exe 99 PID 1584 wrote to memory of 1820 1584 WenzCord.exe 99 PID 1584 wrote to memory of 2876 1584 WenzCord.exe 102 PID 1584 wrote to memory of 2876 1584 WenzCord.exe 102 PID 2876 wrote to memory of 448 2876 cmd.exe 104 PID 2876 wrote to memory of 448 2876 cmd.exe 104 PID 2876 wrote to memory of 1408 2876 cmd.exe 105 PID 2876 wrote to memory of 1408 2876 cmd.exe 105 PID 2876 wrote to memory of 5028 2876 cmd.exe 113 PID 2876 wrote to memory of 5028 2876 cmd.exe 113 PID 5028 wrote to memory of 4468 5028 WenzCord.exe 114 PID 5028 wrote to memory of 4468 5028 WenzCord.exe 114 PID 5028 wrote to memory of 5112 5028 WenzCord.exe 117 PID 5028 wrote to memory of 5112 5028 WenzCord.exe 117 PID 5112 wrote to memory of 2136 5112 cmd.exe 119 PID 5112 wrote to memory of 2136 5112 cmd.exe 119 PID 5112 wrote to memory of 1340 5112 cmd.exe 120 PID 5112 wrote to memory of 1340 5112 cmd.exe 120 PID 5112 wrote to memory of 2540 5112 cmd.exe 124 PID 5112 wrote to memory of 2540 5112 cmd.exe 124 PID 2540 wrote to memory of 1608 2540 WenzCord.exe 125 PID 2540 wrote to memory of 1608 2540 WenzCord.exe 125 PID 2540 wrote to memory of 2336 2540 WenzCord.exe 128 PID 2540 wrote to memory of 2336 2540 WenzCord.exe 128 PID 2336 wrote to memory of 3932 2336 cmd.exe 131 PID 2336 wrote to memory of 3932 2336 cmd.exe 131 PID 2336 wrote to memory of 432 2336 cmd.exe 132 PID 2336 wrote to memory of 432 2336 cmd.exe 132 PID 2336 wrote to memory of 4748 2336 cmd.exe 133 PID 2336 wrote to memory of 4748 2336 cmd.exe 133 PID 4748 wrote to memory of 1884 4748 WenzCord.exe 134 PID 4748 wrote to memory of 1884 4748 WenzCord.exe 134 PID 4748 wrote to memory of 3140 4748 WenzCord.exe 136 PID 4748 wrote to memory of 3140 4748 WenzCord.exe 136 PID 3140 wrote to memory of 1996 3140 cmd.exe 139 PID 3140 wrote to memory of 1996 3140 cmd.exe 139 PID 3140 wrote to memory of 3916 3140 cmd.exe 140 PID 3140 wrote to memory of 3916 3140 cmd.exe 140 PID 3140 wrote to memory of 1368 3140 cmd.exe 142 PID 3140 wrote to memory of 1368 3140 cmd.exe 142 PID 1368 wrote to memory of 1584 1368 WenzCord.exe 143 PID 1368 wrote to memory of 1584 1368 WenzCord.exe 143 PID 1368 wrote to memory of 540 1368 WenzCord.exe 146 PID 1368 wrote to memory of 540 1368 WenzCord.exe 146 PID 540 wrote to memory of 5004 540 cmd.exe 148 PID 540 wrote to memory of 5004 540 cmd.exe 148 PID 540 wrote to memory of 1548 540 cmd.exe 149 PID 540 wrote to memory of 1548 540 cmd.exe 149 PID 540 wrote to memory of 2500 540 cmd.exe 151 PID 540 wrote to memory of 2500 540 cmd.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"C:\Users\Admin\AppData\Local\Temp\WenzCord.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:4356
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RXVkXMSnJnxb.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4720
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a6PWTbh62SmY.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1408
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSy5JWCTx03X.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVxVVIYMZdeC.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:432
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TI6kScZauijy.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3916
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9J5xpIXuBKt.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:5004
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1548
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:3624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAwhcBnugZF0.bat" "15⤵PID:4468
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:3060
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3300
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d3hj6yLp92fL.bat" "17⤵PID:2920
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1816
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMIwI4OmjN1i.bat" "19⤵PID:1440
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2968
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:728 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TnTpeqiNPk6I.bat" "21⤵PID:2832
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3900
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1lGN4UIMubx.bat" "23⤵PID:4636
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3396
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3908
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QLh5YgD9iHLa.bat" "25⤵PID:904
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3652
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqdceIcJ0OAE.bat" "27⤵PID:1964
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:4764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4672
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAyatYegyG5e.bat" "29⤵PID:3932
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4708
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tRqlZ651AjP8.bat" "31⤵PID:4720
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
209B
MD5f0cc1099ff52507040b166a5f7d754bd
SHA11600f6ce97d37172a5f23d2f467d167f03e2eb90
SHA2567d12fa8ee70895039fb77d0ae832b1cd0d512dda2e119d882b0c750bc8da50e0
SHA5125070cdb6a1694b480b4ff46b71a61a58daf72be3865b512de69ce5b1e9c08a74fca83732795ca2165699b0e8d1b774acabbdf1c6bcc650dde430228f05ce590d
-
Filesize
209B
MD55918babd7269980731801c40592faed8
SHA1b09916f04dbdbe4ffbea9e11532fec6b68ac9e30
SHA256935a0296743afe2a25bcb2e95daa62627d46466767e3a3b352dd16668f9a8930
SHA512bfeb6740168a2cc79e924e2086bef4b149dc0a2eb2be0ad5df25b6af2da7661abcdb44bb0c0ceb20b03459999b1564ed02c924c66299bf78f957d696210ca23e
-
Filesize
209B
MD5d4fe3710f5988a3126033f5928e2c566
SHA1f76bdb73ce5fc24c82abb2e6e0ab940b8ae77e39
SHA2560c0f5b1d937243b948a9b6d81834c5360acf81ac0b1b2a70eaf234a20295fc39
SHA512f3c43fdcb968281964ad8f58066732ec6b08c44c2442eae181803b1274ed79adcb65ee38d9f12b16dfb47ac0ccbde6bad86cf38550363884c0c67ed7d36b118a
-
Filesize
209B
MD584db2256ed431c0ad91bb10c054f1126
SHA13aedb244b2bd494e915c4ff5e22bd76a3c054662
SHA2560ad368686ab6838a1f0ce871f8f0341309e66bdf3f70b30d70a7f0ba510c243c
SHA512f4cf5ee7b3691400bc36728e218f1788aca488d53ed33d76a79be6c534d00c99f9485794b3b217982527db85bfe8ca925ad4555f7e543d420d284ee8fedcdcd0
-
Filesize
209B
MD586aa02531520206bbc6bf46686f1d081
SHA1cbca48d7e7cdce709ee27e0212d3a3b38c6f9624
SHA2569deca87ebaccb8a25519336febcbdd2f02bcba077f9b905cdd92d69fbb808421
SHA51235ec3af95c0c219f45bd2c3d1b07c5a331398414a5ed13b47f6399e87d174f7bdcf9f3449d35302f7d277efb827de33e18681677644e3ff7c58d8925a6cac8c3
-
Filesize
209B
MD521cb5aa777151b16f2955c91a492f0d4
SHA157550fb1f4ec8b256a58d2cc08a2eaa81e82b3df
SHA256ca091bfcd5ae0a3f6fc5bab70a372bad8ba52a49f7605b155bda7778851d4070
SHA51238f7d827e480da635acc5f94f8e32f6b45ac1182ceab2e2da1772d5ada3ae6939b546884d01d9d5cf1a10006a36c278d2356e47df80ebdb4c2fb971e37f0bedb
-
Filesize
209B
MD5fb6b7790735b115696c5b2a81f790524
SHA1e9d82a5d9d89c49e6b9437d6dd607cf5dd8324ee
SHA2564b09b900d898b7a36226d7cb795cb5239c8455b7dcd40d91c4eb86ee54a46a45
SHA512102373836fc170b53508b0429b2896b40413e12afec72e80ad7d3db39881214834d623358ce0504cfd5e5a2174ca8d2d8869055d7a1ad34b3e6492d1a62d34ca
-
Filesize
209B
MD5fc5578a23cd959566ed512fa571af245
SHA10761cab1a9b2ac7543f1d37f3f7bd3f4331c8d43
SHA256d53d0625b2ad6ce9fe2e651a764c6f653aca026411027145896ca8d572a3c44e
SHA512177f27091d36ff866dbed34de808089cc5c95b496e5ac354feb87f05a88093fac12e22c29ae9a4b44f17ae908154ea9bb4fb8c0d7ebb5b7092074c22cbe87e26
-
Filesize
209B
MD511defde70c68312b30a30a7727dbd1a4
SHA15e5a65c4dd1762cfcb251c1899650fa6ceb40958
SHA25690727aef52424b1ce97f3e262cb72ed93c01aeb02a67dad422fb5184e064c6e9
SHA512a033f2bd29ae6a264e21108ee8cb1dcd95ff7ade9ddb665f83df88e9c75826877581f04bd4e5b3b794437b33f231cd06281461f2415cdd248710a5fba8db50dd
-
Filesize
209B
MD573adfb1b8d15f8f38ac06cfd365e294e
SHA132d781796e4f8c111511141187011acbb0b87e9e
SHA25681c31739f1d92a89a0dc6257a3ec478cf4c2d81b4acf786bffc472b9c2f7d4ff
SHA512cb613740833546a01c1ef099804eb63cd851549488bc9559900c4cd7ccdd4f10829efdd8b67caeac1cb9c163c475c09686a55000ddd0bc41f2f638176dc2d5eb
-
Filesize
209B
MD56e91afbb93ad3d2259c2c6669049df95
SHA100d59800092d25d1822bab745e1feb49ca53153f
SHA25672f403787c6a2e7848f88f108b1660e5e1a2426b93f8304a3883691ce2692aab
SHA512d48a4e8613fd7d48444604ee1b7064d1b916b31c2287cd2497082b878e80b4d38b2cefa34f9fc53704c067943c648f4a1acf45388199acfafdb667489fb1c2d7
-
Filesize
209B
MD5fe080b6be040ca4329b4e9eeec869408
SHA1c205d3b2b859f3e0034ecc2342a874d98ffb35f8
SHA25640e312bff7be22d048623f558c553a6bee796915d0bd9585dcdea173b537d4bd
SHA51209eb2fb2beea26408589baabc1ddfe43f732ce475cf13e3f4a10057814e982cdad9a651b39a7fb21fe411e053e26d85be16933908506f4f3ee94e84d9b67e953
-
Filesize
209B
MD59a423d8339c837684f49cf5e59fb9d59
SHA12223f6d7dd2b07e75782a1a7bfbd713c3d7b7d8a
SHA256a9c2827f4851739dfe18e49d6700526739051f027a7d8d396974d38379de9b4f
SHA5125cd959ba357ed301c6af0cbb141e630ba722853621ccd2f232eedea04035914edc8f01f5b83d89c4cd72036a5e15d6fa33562f08bd9638e9506107f0f54473db
-
Filesize
209B
MD542f3b3c362bfee75f7e43a9d3c99f052
SHA130f7a73a8fe3ddae83b73f25e2d97d6c83fceede
SHA2569c47191ab4bc9c66f8e4836a9d0ed2174ef685b5b28a6e5b822cd261bfe1b39b
SHA5126a0317f95cbb95ba5b52cdeac588955a122ade830261f2db27b5e01b7dfcc1b79b3ba03139a5e9f7a9619a1727962adff6d910f2f466ecbc394e1b7067c77ef6
-
Filesize
209B
MD5a53f236a453aacf7dca207e69270f6fa
SHA1a50b2f394248bf3971976088b3868ccb3071cdeb
SHA2566c5a00b948d5ecde191fe7e446742795fde1d6d76354040ef366f1cb45ebd60e
SHA512f9ca937efbd696ad50a47b36cac55d0a078ccdcc842490fe4a7f8b076cf359c60ed9c166b5c1601d7be6ab907380281e8d632a497108543807f3d46426ef9480
-
Filesize
3.1MB
MD5f21aa436096afece0b8c39c36bf4a9ab
SHA1976b74c6a4e59e59a812c06032aae71a0516236a
SHA25643e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
SHA51244500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b