asyncrat | 5e543b70f37c0851efd3d0883c82428c961164ed0d02c2a8ab024da7861ea802

Analysis

max time kernel
277s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER_25320_7587-86548.js
Size

563KB
MD5

ab0dac9d1b9b83383dbc5d469d5fa1ae
SHA1

b15b24f82ef0a07fce5b7c2735d8a8b46b547287
SHA256

398e3d3d2ad8e2e91693c1682780d2352ebe962b67547af5c20735ae97ea94a9
SHA512

66829799b8233f142aa1420f1e2dd4dfbdc3f2417279b12481d87612a0d97add61d819e58c369818ac201a4ba568e92d5fcd4b9ce17fb68332eeb5718f2f72fc
SSDEEP

3072:MCAFTI3Ws7WZ4hRPhts7YRw7Xx5FzNM6x/P0UHD2yQ/ry:MCAFs3F7WZIhe7nbDIxu

Score

10^/10

asyncrat wshrat march-25 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
WindowsUpdate.exe
install_folder
%Temp%

aes.plain

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x00070000000240c9-14.dat	family_asyncrat

Blocklisted process makes network request 45 IoCs

flow	pid	Process
2	216	wscript.exe
22	216	wscript.exe
25	216	wscript.exe
26	216	wscript.exe
27	216	wscript.exe
34	216	wscript.exe
42	216	wscript.exe
46	216	wscript.exe
47	216	wscript.exe
48	216	wscript.exe
49	216	wscript.exe
57	216	wscript.exe
58	216	wscript.exe
59	216	wscript.exe
60	216	wscript.exe
61	216	wscript.exe
64	216	wscript.exe
65	216	wscript.exe
66	216	wscript.exe
67	216	wscript.exe
68	216	wscript.exe
69	216	wscript.exe
70	216	wscript.exe
71	216	wscript.exe
72	216	wscript.exe
73	216	wscript.exe
74	216	wscript.exe
75	216	wscript.exe
76	216	wscript.exe
77	216	wscript.exe
78	216	wscript.exe
80	216	wscript.exe
83	216	wscript.exe
84	216	wscript.exe
85	216	wscript.exe
86	216	wscript.exe
87	216	wscript.exe
88	216	wscript.exe
89	216	wscript.exe
90	216	wscript.exe
91	216	wscript.exe
92	216	wscript.exe
93	216	wscript.exe
94	216	wscript.exe
95	216	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	RDo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4460	RDo.exe
1952	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3236	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3412	schtasks.exe

Script User-Agent 48 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	94	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	59	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	2	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	49	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	85	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	92	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	95	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	25	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	34	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	47	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	68	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	71	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	87	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	26	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	60	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	86	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	88	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	22	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	27	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	48	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	61	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	64	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	65	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	80	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	66	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	96	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	67	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|5E8EB7C0\|IQNFYLSS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 20/3/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe
4460	RDo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	RDo.exe
Token: SeDebugPrivilege	1952	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1880	2296	wscript.exe	85
PID 2296 wrote to memory of 1880	2296	wscript.exe	85
PID 2296 wrote to memory of 4724	2296	wscript.exe	86
PID 2296 wrote to memory of 4724	2296	wscript.exe	86
PID 1880 wrote to memory of 216	1880	WScript.exe	87
PID 1880 wrote to memory of 216	1880	WScript.exe	87
PID 4724 wrote to memory of 4460	4724	WScript.exe	88
PID 4724 wrote to memory of 4460	4724	WScript.exe	88
PID 4724 wrote to memory of 4460	4724	WScript.exe	88
PID 4460 wrote to memory of 1740	4460	RDo.exe	93
PID 4460 wrote to memory of 1740	4460	RDo.exe	93
PID 4460 wrote to memory of 1740	4460	RDo.exe	93
PID 4460 wrote to memory of 2188	4460	RDo.exe	95
PID 4460 wrote to memory of 2188	4460	RDo.exe	95
PID 4460 wrote to memory of 2188	4460	RDo.exe	95
PID 1740 wrote to memory of 3412	1740	cmd.exe	97
PID 1740 wrote to memory of 3412	1740	cmd.exe	97
PID 1740 wrote to memory of 3412	1740	cmd.exe	97
PID 2188 wrote to memory of 3236	2188	cmd.exe	98
PID 2188 wrote to memory of 3236	2188	cmd.exe	98
PID 2188 wrote to memory of 3236	2188	cmd.exe	98
PID 2188 wrote to memory of 1952	2188	cmd.exe	99
PID 2188 wrote to memory of 1952	2188	cmd.exe	99
PID 2188 wrote to memory of 1952	2188	cmd.exe	99

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_25320_7587-86548.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:216
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\RDo.exe
    "C:\Users\Admin\AppData\Local\Temp\RDo.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C4F.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RDo.exe

Filesize
45KB

MD5
7e54eec2d10957178e6410ba1c899c21

SHA1
9f79b7ef7b24933b0b106a387fbf5834863dbc78

SHA256
d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8

SHA512
e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
305KB

MD5
294f1f4ee9bd1a410379ccc7430c7a69

SHA1
02436fc31c5fa37c3735dcff0f450c20e302e7a2

SHA256
f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187

SHA512
8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C4F.tmp.bat

Filesize
160B

MD5
5e8ca2f6c8c402e22de0a331b61c2d6b

SHA1
cd21ab06d0f293aef0701b593f6de01a05462ee0

SHA256
de91c571c40b4f3e5fc341a3d04ff7d92e0ce0903edaf8a1635638d40f34d93a

SHA512
8b1135fdf17949d69a56e43212b05533b836f09d14bd5234aede595dcc165a1e846238200c2d92b2a1faf3221b436ecb2e9af167b85a2f17d568e8d29845ec7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
82KB

MD5
33d6e875441823e698ea8b8c4739dfd4

SHA1
a446695785e38522c923a5340e43c236ac332616

SHA256
32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce

SHA512
633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js

Filesize
305KB

MD5
896317774de40ecc91cf4255f5928efe

SHA1
bab55693b7f897eb8dfbf1302759c7bb957db823

SHA256
7998ca7918b72f331c911ca7fe07557dadf2656515a9bedc07ba5ac10097a035

SHA512
3ab895ea07a20055c919750e80c33bcbff5deb3b408e2192f0768a5ddfe330e79ae67c55538a0ae2a3360d4c03e470041304c9afa8daefb9b16cb145edd9d1c6

Download Submit
memory/1952-36-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/1952-37-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/4460-25-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/4460-26-0x00000000052E0000-0x000000000537C000-memory.dmp

Filesize
624KB

Download