Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 02:36
Behavioral task
behavioral1
Sample
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe
Resource
win10v2004-20241007-en
General
-
Target
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe
-
Size
3.1MB
-
MD5
f21aa436096afece0b8c39c36bf4a9ab
-
SHA1
976b74c6a4e59e59a812c06032aae71a0516236a
-
SHA256
43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
-
SHA512
44500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b
-
SSDEEP
49152:pvrI22SsaNYfdPBldt698dBcjHKO06CBxDPoGd9THHB72eh2NT:pvU22SsaNYfdPBldt6+dBcjH06O
Malware Config
Extracted
quasar
1.4.1
WenzCordRat
nickhill112-22345.portmap.host:22345
7ee1db41-359a-46b2-bba3-791dc7cde5e1
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
WenzCord.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Update.exe
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 10 IoCs
resource yara_rule behavioral1/memory/2692-1-0x0000000000F40000-0x000000000126A000-memory.dmp family_quasar behavioral1/files/0x000c0000000186c8-6.dat family_quasar behavioral1/memory/2860-9-0x0000000001360000-0x000000000168A000-memory.dmp family_quasar behavioral1/memory/300-33-0x0000000000060000-0x000000000038A000-memory.dmp family_quasar behavioral1/memory/1564-44-0x0000000000120000-0x000000000044A000-memory.dmp family_quasar behavioral1/memory/1288-55-0x0000000000850000-0x0000000000B7A000-memory.dmp family_quasar behavioral1/memory/604-66-0x00000000003D0000-0x00000000006FA000-memory.dmp family_quasar behavioral1/memory/2100-77-0x00000000010C0000-0x00000000013EA000-memory.dmp family_quasar behavioral1/memory/2932-108-0x0000000001190000-0x00000000014BA000-memory.dmp family_quasar behavioral1/memory/2960-160-0x00000000013B0000-0x00000000016DA000-memory.dmp family_quasar -
Executes dropped EXE 16 IoCs
pid Process 2860 WenzCord.exe 1536 WenzCord.exe 300 WenzCord.exe 1564 WenzCord.exe 1288 WenzCord.exe 604 WenzCord.exe 2100 WenzCord.exe 2908 WenzCord.exe 2028 WenzCord.exe 2932 WenzCord.exe 864 WenzCord.exe 1612 WenzCord.exe 1220 WenzCord.exe 2352 WenzCord.exe 2960 WenzCord.exe 1052 WenzCord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2448 PING.EXE 2056 PING.EXE 3024 PING.EXE 2396 PING.EXE 2360 PING.EXE 320 PING.EXE 1200 PING.EXE 2084 PING.EXE 2180 PING.EXE 2720 PING.EXE 1440 PING.EXE 2816 PING.EXE 1732 PING.EXE 2512 PING.EXE 1976 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2396 PING.EXE 2448 PING.EXE 2512 PING.EXE 3024 PING.EXE 320 PING.EXE 1200 PING.EXE 1440 PING.EXE 2084 PING.EXE 1976 PING.EXE 2180 PING.EXE 2816 PING.EXE 2056 PING.EXE 2360 PING.EXE 1732 PING.EXE 2720 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2316 schtasks.exe 1760 schtasks.exe 2560 schtasks.exe 2996 schtasks.exe 996 schtasks.exe 2908 schtasks.exe 1352 schtasks.exe 2788 schtasks.exe 468 schtasks.exe 632 schtasks.exe 2716 schtasks.exe 1608 schtasks.exe 2124 schtasks.exe 1796 schtasks.exe 1520 schtasks.exe 2816 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe Token: SeDebugPrivilege 2860 WenzCord.exe Token: SeDebugPrivilege 1536 WenzCord.exe Token: SeDebugPrivilege 300 WenzCord.exe Token: SeDebugPrivilege 1564 WenzCord.exe Token: SeDebugPrivilege 1288 WenzCord.exe Token: SeDebugPrivilege 604 WenzCord.exe Token: SeDebugPrivilege 2100 WenzCord.exe Token: SeDebugPrivilege 2908 WenzCord.exe Token: SeDebugPrivilege 2028 WenzCord.exe Token: SeDebugPrivilege 2932 WenzCord.exe Token: SeDebugPrivilege 864 WenzCord.exe Token: SeDebugPrivilege 1612 WenzCord.exe Token: SeDebugPrivilege 1220 WenzCord.exe Token: SeDebugPrivilege 2352 WenzCord.exe Token: SeDebugPrivilege 2960 WenzCord.exe Token: SeDebugPrivilege 1052 WenzCord.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2860 WenzCord.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2816 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe 30 PID 2692 wrote to memory of 2816 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe 30 PID 2692 wrote to memory of 2816 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe 30 PID 2692 wrote to memory of 2860 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe 32 PID 2692 wrote to memory of 2860 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe 32 PID 2692 wrote to memory of 2860 2692 43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe 32 PID 2860 wrote to memory of 2908 2860 WenzCord.exe 33 PID 2860 wrote to memory of 2908 2860 WenzCord.exe 33 PID 2860 wrote to memory of 2908 2860 WenzCord.exe 33 PID 2860 wrote to memory of 2596 2860 WenzCord.exe 35 PID 2860 wrote to memory of 2596 2860 WenzCord.exe 35 PID 2860 wrote to memory of 2596 2860 WenzCord.exe 35 PID 2596 wrote to memory of 3048 2596 cmd.exe 37 PID 2596 wrote to memory of 3048 2596 cmd.exe 37 PID 2596 wrote to memory of 3048 2596 cmd.exe 37 PID 2596 wrote to memory of 2396 2596 cmd.exe 38 PID 2596 wrote to memory of 2396 2596 cmd.exe 38 PID 2596 wrote to memory of 2396 2596 cmd.exe 38 PID 2596 wrote to memory of 1536 2596 cmd.exe 39 PID 2596 wrote to memory of 1536 2596 cmd.exe 39 PID 2596 wrote to memory of 1536 2596 cmd.exe 39 PID 1536 wrote to memory of 1608 1536 WenzCord.exe 40 PID 1536 wrote to memory of 1608 1536 WenzCord.exe 40 PID 1536 wrote to memory of 1608 1536 WenzCord.exe 40 PID 1536 wrote to memory of 2024 1536 WenzCord.exe 42 PID 1536 wrote to memory of 2024 1536 WenzCord.exe 42 PID 1536 wrote to memory of 2024 1536 WenzCord.exe 42 PID 2024 wrote to memory of 2748 2024 cmd.exe 44 PID 2024 wrote to memory of 2748 2024 cmd.exe 44 PID 2024 wrote to memory of 2748 2024 cmd.exe 44 PID 2024 wrote to memory of 2360 2024 cmd.exe 45 PID 2024 wrote to memory of 2360 2024 cmd.exe 45 PID 2024 wrote to memory of 2360 2024 cmd.exe 45 PID 2024 wrote to memory of 300 2024 cmd.exe 46 PID 2024 wrote to memory of 300 2024 cmd.exe 46 PID 2024 wrote to memory of 300 2024 cmd.exe 46 PID 300 wrote to memory of 2788 300 WenzCord.exe 47 PID 300 wrote to memory of 2788 300 WenzCord.exe 47 PID 300 wrote to memory of 2788 300 WenzCord.exe 47 PID 300 wrote to memory of 340 300 WenzCord.exe 49 PID 300 wrote to memory of 340 300 WenzCord.exe 49 PID 300 wrote to memory of 340 300 WenzCord.exe 49 PID 340 wrote to memory of 348 340 cmd.exe 51 PID 340 wrote to memory of 348 340 cmd.exe 51 PID 340 wrote to memory of 348 340 cmd.exe 51 PID 340 wrote to memory of 320 340 cmd.exe 52 PID 340 wrote to memory of 320 340 cmd.exe 52 PID 340 wrote to memory of 320 340 cmd.exe 52 PID 340 wrote to memory of 1564 340 cmd.exe 53 PID 340 wrote to memory of 1564 340 cmd.exe 53 PID 340 wrote to memory of 1564 340 cmd.exe 53 PID 1564 wrote to memory of 2124 1564 WenzCord.exe 54 PID 1564 wrote to memory of 2124 1564 WenzCord.exe 54 PID 1564 wrote to memory of 2124 1564 WenzCord.exe 54 PID 1564 wrote to memory of 1872 1564 WenzCord.exe 56 PID 1564 wrote to memory of 1872 1564 WenzCord.exe 56 PID 1564 wrote to memory of 1872 1564 WenzCord.exe 56 PID 1872 wrote to memory of 1092 1872 cmd.exe 58 PID 1872 wrote to memory of 1092 1872 cmd.exe 58 PID 1872 wrote to memory of 1092 1872 cmd.exe 58 PID 1872 wrote to memory of 1200 1872 cmd.exe 59 PID 1872 wrote to memory of 1200 1872 cmd.exe 59 PID 1872 wrote to memory of 1200 1872 cmd.exe 59 PID 1872 wrote to memory of 1288 1872 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe"C:\Users\Admin\AppData\Local\Temp\43e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2908
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3FDCCU6EGqkF.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3048
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2396
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:1608
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WPbkzH9sLvXu.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2360
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2788
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eCIQcLCyVEa5.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:320
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5Sc4PODi9FJE.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1092
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1200
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1796
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hp5yZDW5YAAR.bat" "11⤵PID:2464
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1440
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:604 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\orf3MiFVCPLc.bat" "13⤵PID:2352
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1760
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TQ4j2UXMcE3r.bat" "15⤵PID:1848
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2816
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2560
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FZ6vwjhn7XPo.bat" "17⤵PID:2844
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1520
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\59FqrHtmfJ5z.bat" "19⤵PID:1744
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2780
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:468
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\iXSA6ATQUFAL.bat" "21⤵PID:912
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:792
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2512
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2996
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\t6JG44PvEfvQ.bat" "23⤵PID:2304
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1404
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1976
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:996
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tbuXnCDi2cVk.bat" "25⤵PID:1620
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1732
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:632
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ANVDUy1ODvhp.bat" "27⤵PID:1676
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2656
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3024
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1352
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hchMXfkQRLZM.bat" "29⤵PID:1468
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\b9N5TgkP6aIw.bat" "31⤵PID:2620
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2720
-
-
C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"C:\Users\Admin\AppData\Roaming\SubDir\WenzCord.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD5c815b3c063451fc2f97af75e0631dbf7
SHA1f00898ca5b67b08c5613f95cba847c6446924c85
SHA256ae960c6bf8d0590ba4a64bc7530ed119b1a61aa98c7f310b85dcac86addadf08
SHA5128f9acb67ffb2af519c0bce204bd4a7c1a2346460db5a8f490328ca6599d5d356600044a09c9c1128a6fafee05cac08011f8510e9b6ce9db479897a5364d4cf94
-
Filesize
209B
MD5033474a6df400341352a029ecced51e8
SHA1effaf2a9e2d7550064d4d3e15cd9a1a4ad4951d7
SHA256046604af5475ff5717123437d2f616e684232acc4f2398d4289572482e838109
SHA512b75c60b7329461e650057ef9fe0fc297cbb526817dba9c32bb3c82a7977fe8960ba8c8a5dfcfa6f903de3a8e91e5ed3de73e63218434c5411caaf0f141018ad1
-
Filesize
209B
MD5b4377ea05c4062489c2f597a87151ac8
SHA1378bf669186961b794285333354ce860385a2fee
SHA2560615e85fd69734a40e09abb21c2f2edeac295ad1e6c9ff1a1c275434b7bef19d
SHA5129753b96ced23be03a41d25ca6eafaca18c417fd0283dd0fb71c6a97e5fb807a14d85228778826362418078231737dee8f866e66ff13f8d9b78d51577a667b00d
-
Filesize
209B
MD53ee336896c147ac45f6cc27c930b9562
SHA12f94960acf3ea026521ae467de629dc73563a644
SHA256825312ddf1ceff30b88eda191394e8993cf28f6e582e0e22348faa5d966334c9
SHA51265c716b0820d210f6c351702fdb507312e9877d9ddd952909c1a2db0b17cf7dac5c565b4d4225df208aba38994429bc9a7c160a402cf731c46895ff80894482f
-
Filesize
209B
MD5fba9e8a303b164e6941b0da1b05c942e
SHA1116ad8e463a23d06dee0e77172a7e3af14b668c5
SHA2567cf93142609dbb3aafe80a43e81820e2ba6f52b232531e6474a54c8969151d9f
SHA512d8c9157a86d21f9c161d5841d8f476aaf583210e9fa123920d706ce61b5940ed1e63751ef473e3e7dec233ea50309a20b1f2eb15e542b8336cb4fd2a095e7c99
-
Filesize
209B
MD5efe6b7bae2c335c12eecfafbc18ba50a
SHA1bf28f766740c8f27de32339638b8a5fc6f354b31
SHA2569e9b86cebcdff11079da3b9daef540dd209e4556bf6231571478e6e970c22fb2
SHA51282e46e0c7237199f45720e842207a11cdb3bcc8c27e166c8c3720cb58b3060b55310e2a708817fc8e0621b8a8318f4678c1e97484d8a334a4ed1cf2d48c740f0
-
Filesize
209B
MD58950aeba3f7635a3cc2aeb9c1509007b
SHA170dd621cde527b337a3f0cf3ccaaf4f9882d49f6
SHA2562ddddcda9ae7c4622286c4c10c3479b52c5f1e7c941cb9331bbd2127915fa7cb
SHA51290df885e4a49a83f123255df065bd5920bd5a1ba42fe05fe23bbc295f0d11dae8aa6c2f07ec9e3180a2c815efa4e5f6293ddec0f15f832da3f4b2fe5b1a5b3b7
-
Filesize
209B
MD5c84525a10104a9ad09d4dc5adcad4b53
SHA10093d4297ca9cd77864aff820a5882d963e0729d
SHA2562079ec101eed7dfe0da4698b6f20cef8f0d13b66116534a4d8699b84dc3404fe
SHA5121e8133ad15ae36cc0d08ce9e05ecc677764dcc6ae5e6e6fdb9d0c3defc48af16857ba9f38018abcfc96dcd786ac5d176406c8a2673c0a1d10dfbdede6c6592be
-
Filesize
209B
MD5391804118edbb3b3f909ebefe1bc7bab
SHA15bb6eb1be6443e2d3334ec44aeff078252e463e9
SHA25696d1e5cc02135d07f77dd53a770f824678c64083507179f0229f71cedf4d6c60
SHA512d34c276f7276e0bef299a33994d4b15d66d90194298b7c955228d116ae1be5b8c791799465ef9bfce5a329809cb93e68f0015ce15bdee98a6033cb10915a7f66
-
Filesize
209B
MD5ca3098b343b7a6e380b1c778a3d11d0d
SHA122d7e2ffb7cf428f2460535d0ee9048f22ed6c2c
SHA256874f44836d746d655b24813194b2e7b4627a3acb61eb194b912b5e57a37e00c2
SHA5120b99c9bfb09ae0a2caa0866da1a23bff02fdb9445b44b435b93cb126053b43b9d179119ebfccf4bf66f022ab377fbd56971c55cfa2e1bf62b2608186052ad23d
-
Filesize
209B
MD5dd3dc5809aada00e236b42cf392f154f
SHA16b54608e985395690d7a8662139e625aabe181c6
SHA256ce66054f4dbb1e6bc885e335d9cd737b95e3f044aebb7add156beac6b2652959
SHA512ceba452e5fad14386f3e7717d0365ebd12b4bf976f9e5828564bad5d3832a82b4d48a858231d545a6b0a6f3f377a9bd5809981c4347c110a178f96571615beac
-
Filesize
209B
MD5b3063f1284a45c31b128d07a7a6e639c
SHA1e9964d366f802380da44d919d8dad01d67df78b0
SHA25614113e102fe3cebe9a23d07fbe3ffabdc59849187f628de2f91243e93ee1ef2e
SHA512a97fd12ca0454a741607cc960f986e40fe8a8fe2bda068fef90ebc31affd77ef10a1b35cfcce42cc4ffbec464bf43243c601a1d9d5f17054c53b5050ed6abac6
-
Filesize
209B
MD5784dba09af8d70f8ee54a3f5474104bf
SHA10174b7d851c1ec73dc0b9c466d116aad4eae9a03
SHA256ae986274872d7d90ade16a2461c6fe9dc5d1478e1f41365426324fb411ab0f02
SHA5128488c9655370aadec1b28b92021fc46fbfe9076d732f85f6671f802643dbd296e502ae6e2ee4c575f93372079c95aa98019dcb481db3222731502fd1d15dac70
-
Filesize
209B
MD5f618bb29f5c3729d111eae6d71c84f7d
SHA10bc82388d679b56945a330cf6c837408da7d0d7d
SHA256b2b24e973e2bf950a6b7b8bd9f7cbbbdf1b24c232adcee07439232fc34062496
SHA51278c2120a81051218e9a655e20f9009ab1c2ff74f1d1a3b112b9db9f6841adfb75c972dce3b9201bd58f73f1f1937ad0668566adbbe3031ecf3496520d8c18888
-
Filesize
209B
MD5db91437c34e72ba541cdff26ab211ab5
SHA1efc755fc4087a8c122549751cf1a2e1d39960dc6
SHA256f720e62038c714e0abc7d4f6736b3e0aa4937c19e42e87c459615347a902ed53
SHA51244e54d62e0cd914c767c1ea3bb855210d0baae6a9ccdb8826a83fd7450e7a49ca7a2d0331afee2c971d66e45e4bd0962bcfc83e7670426063e953cb08c9a8fea
-
Filesize
3.1MB
MD5f21aa436096afece0b8c39c36bf4a9ab
SHA1976b74c6a4e59e59a812c06032aae71a0516236a
SHA25643e79ab56cd512db7348129670a3d2bbb652cae64ab7baca0320ab31390a3e10
SHA51244500988e32db41452e83fcacfba7862fd1cc28ec1992b9040a408f155a5e6b416feb13dcf5afff690c615d51895476239575601cc255ecfb3973597ca13d15b