Malware Analysis Report

2025-04-14 08:20

Sample ID 250321-atq25svly2
Target 21032025_0030_ORDER#25320789-408AC.js.rar
SHA256 e2cd159471fae8f63a93941dadbf648084af0f383abf22952cf4134b1460bbb2
Tags
asyncrat wshrat march-25 discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2cd159471fae8f63a93941dadbf648084af0f383abf22952cf4134b1460bbb2

Threat Level: Known bad

The file 21032025_0030_ORDER#25320789-408AC.js.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat wshrat march-25 discovery execution persistence rat trojan

Asyncrat family

Wshrat family

AsyncRat

WSHRAT

Async RAT payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-21 00:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-21 00:30

Reported

2025-03-21 00:35

Platform

win7-20240903-en

Max time kernel

294s

Max time network

296s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER#25320789-408AC.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|7CBFD7FF|CCJBVTGQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 21/3/2025|JavaScript N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2020 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2196 wrote to memory of 2020 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2196 wrote to memory of 2020 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2196 wrote to memory of 2544 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2196 wrote to memory of 2544 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2196 wrote to memory of 2544 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2020 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2020 wrote to memory of 2172 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2544 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2544 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2544 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2544 wrote to memory of 2772 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 2772 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 348 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 348 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 348 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 348 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 348 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER#25320789-408AC.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"

C:\Users\Admin\AppData\Local\Temp\RDo.exe

"C:\Users\Admin\AppData\Local\Temp\RDo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 umarmira055.duckdns.org udp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 188.126.90.66:2703 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 294f1f4ee9bd1a410379ccc7430c7a69
SHA1 02436fc31c5fa37c3735dcff0f450c20e302e7a2
SHA256 f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187
SHA512 8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 33d6e875441823e698ea8b8c4739dfd4
SHA1 a446695785e38522c923a5340e43c236ac332616
SHA256 32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce
SHA512 633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

C:\Users\Admin\AppData\Local\Temp\RDo.exe

MD5 7e54eec2d10957178e6410ba1c899c21
SHA1 9f79b7ef7b24933b0b106a387fbf5834863dbc78
SHA256 d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8
SHA512 e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

memory/2772-20-0x0000000000C90000-0x0000000000CA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.bat

MD5 bc8f6ff3139606525487b71f2bd87b15
SHA1 8a31930f009baf9100624644c0d72c5937687fc2
SHA256 aaa805c78088a296567a6ce20c191181adf668482de2c2fda743a68e0996beca
SHA512 d28f6bc4eaf55fcd26dd0d9ef0d45be401a6c0bee7f72c86bc5fbd5843c362fde1145c532b44caaf99472fcb09e19c358a63d13a055c714ad853a674f09b4991

memory/2388-33-0x00000000001C0000-0x00000000001D2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-21 00:30

Reported

2025-03-21 00:35

Platform

win10v2004-20250314-en

Max time kernel

298s

Max time network

300s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER#25320789-408AC.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|AE8ED450|QJHNVQMW|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 21/3/2025|JavaScript N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 3020 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 3020 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 1352 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1992 wrote to memory of 1352 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 3020 wrote to memory of 2948 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 3020 wrote to memory of 2948 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1352 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 1352 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 1352 wrote to memory of 936 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\RDo.exe
PID 936 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\RDo.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 376 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 376 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 376 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 376 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
PID 376 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER#25320789-408AC.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"

C:\Users\Admin\AppData\Local\Temp\RDo.exe

"C:\Users\Admin\AppData\Local\Temp\RDo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp73A9.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 umarmira055.duckdns.org udp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 188.126.90.66:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 188.126.90.66:2703 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp
SE 188.126.90.66:7044 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 294f1f4ee9bd1a410379ccc7430c7a69
SHA1 02436fc31c5fa37c3735dcff0f450c20e302e7a2
SHA256 f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187
SHA512 8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 33d6e875441823e698ea8b8c4739dfd4
SHA1 a446695785e38522c923a5340e43c236ac332616
SHA256 32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce
SHA512 633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

C:\Users\Admin\AppData\Local\Temp\RDo.exe

MD5 7e54eec2d10957178e6410ba1c899c21
SHA1 9f79b7ef7b24933b0b106a387fbf5834863dbc78
SHA256 d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8
SHA512 e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

memory/936-25-0x0000000000090000-0x00000000000A2000-memory.dmp

memory/936-26-0x0000000004A60000-0x0000000004AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp73A9.tmp.bat

MD5 047c6b241b127a136473c9f820e50e82
SHA1 1429cf7c78a851ebd3ee0c37eb6b03b9e5a13707
SHA256 fcd0b37a5ce37ff6a005b7280e25a1dec70372cc2ea669c967e6a746fcf95f7e
SHA512 53a893abecb257dbb0052bfcb316a4ab79ee31d271f91e5566601f8c6c6078c130e89ec79a204ef4e3f17e6f7d314b9d4242a11cfea7ccc26cbb94b807392b76

memory/2716-41-0x0000000005FD0000-0x0000000006574000-memory.dmp

memory/2716-42-0x0000000005A90000-0x0000000005AF6000-memory.dmp