Malware Analysis Report

2025-04-14 08:19

Sample ID 250320-g1hgxavybs
Target 20032025_0616_ORDER_25320_7587-86548.js.rar
SHA256 5e543b70f37c0851efd3d0883c82428c961164ed0d02c2a8ab024da7861ea802
Tags
asyncrat wshrat march-25 discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e543b70f37c0851efd3d0883c82428c961164ed0d02c2a8ab024da7861ea802

Threat Level: Known bad

The file 20032025_0616_ORDER_25320_7587-86548.js.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat wshrat march-25 discovery execution persistence rat trojan

WSHRAT

Asyncrat family

AsyncRat

Wshrat family

Async RAT payload

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 06:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 06:16

Reported

2025-03-20 06:21

Platform

win7-20250207-en

Max time kernel

296s

Max time network

301s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_25320_7587-86548.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|581E7694|JXXXDSWS|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 20/3/2025|JavaScript N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 1872 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 1872 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 1872 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 2332 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 2332 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2344 wrote to memory of 2332 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2332 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2332 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2332 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2332 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 1872 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1872 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1872 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1044 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1044 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1044 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 1044 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_25320_7587-86548.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Users\Admin\AppData\Local\Temp\RDo.exe

"C:\Users\Admin\AppData\Local\Temp\RDo.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.82.66:7044 chongmei33.myddns.rocks tcp
SE 46.246.82.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.82.66:2703 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 294f1f4ee9bd1a410379ccc7430c7a69
SHA1 02436fc31c5fa37c3735dcff0f450c20e302e7a2
SHA256 f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187
SHA512 8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 33d6e875441823e698ea8b8c4739dfd4
SHA1 a446695785e38522c923a5340e43c236ac332616
SHA256 32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce
SHA512 633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

C:\Users\Admin\AppData\Local\Temp\RDo.exe

MD5 7e54eec2d10957178e6410ba1c899c21
SHA1 9f79b7ef7b24933b0b106a387fbf5834863dbc78
SHA256 d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8
SHA512 e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

memory/2952-20-0x0000000001010000-0x0000000001022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp.bat

MD5 0541f3e0a795751c4d75b8a3a0ecf518
SHA1 fd6e2593271d20bed84018bb930b96140b7e8789
SHA256 50d68cd5e57cf67e0819404cf2ebae76db16ffe3abf0c41d443b10f0ef502de8
SHA512 d001a6383be5162567fc7d080884e728b25e376c15730b77cf0d109ab31e158b3b05697f159cfd984522fa02ef379402c8a741c59ed284c519e76b5bfca47473

memory/2896-33-0x0000000000F70000-0x0000000000F82000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-20 06:16

Reported

2025-03-20 06:21

Platform

win10v2004-20250314-en

Max time kernel

277s

Max time network

304s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_25320_7587-86548.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|5E8EB7C0|IQNFYLSS|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 20/3/2025|JavaScript N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1880 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 1880 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 4724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 4724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1880 wrote to memory of 216 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1880 wrote to memory of 216 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 4724 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 4724 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 4724 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 4460 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1740 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2188 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2188 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2188 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 2188 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 2188 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_25320_7587-86548.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"

C:\Users\Admin\AppData\Local\Temp\RDo.exe

"C:\Users\Admin\AppData\Local\Temp\RDo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C4F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.82.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
SE 46.246.82.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.82.66:2703 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp
SE 46.246.82.66:7044 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 294f1f4ee9bd1a410379ccc7430c7a69
SHA1 02436fc31c5fa37c3735dcff0f450c20e302e7a2
SHA256 f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187
SHA512 8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 33d6e875441823e698ea8b8c4739dfd4
SHA1 a446695785e38522c923a5340e43c236ac332616
SHA256 32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce
SHA512 633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

C:\Users\Admin\AppData\Local\Temp\RDo.exe

MD5 7e54eec2d10957178e6410ba1c899c21
SHA1 9f79b7ef7b24933b0b106a387fbf5834863dbc78
SHA256 d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8
SHA512 e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js

MD5 896317774de40ecc91cf4255f5928efe
SHA1 bab55693b7f897eb8dfbf1302759c7bb957db823
SHA256 7998ca7918b72f331c911ca7fe07557dadf2656515a9bedc07ba5ac10097a035
SHA512 3ab895ea07a20055c919750e80c33bcbff5deb3b408e2192f0768a5ddfe330e79ae67c55538a0ae2a3360d4c03e470041304c9afa8daefb9b16cb145edd9d1c6

memory/4460-25-0x00000000008B0000-0x00000000008C2000-memory.dmp

memory/4460-26-0x00000000052E0000-0x000000000537C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C4F.tmp.bat

MD5 5e8ca2f6c8c402e22de0a331b61c2d6b
SHA1 cd21ab06d0f293aef0701b593f6de01a05462ee0
SHA256 de91c571c40b4f3e5fc341a3d04ff7d92e0ce0903edaf8a1635638d40f34d93a
SHA512 8b1135fdf17949d69a56e43212b05533b836f09d14bd5234aede595dcc165a1e846238200c2d92b2a1faf3221b436ecb2e9af167b85a2f17d568e8d29845ec7d

memory/1952-36-0x0000000005490000-0x0000000005A34000-memory.dmp

memory/1952-37-0x0000000004EE0000-0x0000000004F46000-memory.dmp