Malware Analysis Report

2025-04-14 08:22

Sample ID 250325-e1qr6svjz5
Target 06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js
SHA256 06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43
Tags
asyncrat wshrat march-25-3 discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43

Threat Level: Known bad

The file 06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js was found to be: Known bad.

Malicious Activity Summary

asyncrat wshrat march-25-3 discovery execution persistence rat trojan

Asyncrat family

WSHRAT

Wshrat family

AsyncRat

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-25 04:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-25 04:24

Reported

2025-03-25 04:27

Platform

win7-20240903-en

Max time kernel

143s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|44BAD2C8|JSMURNPT|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 25/3/2025|JavaScript N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2016 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2104 wrote to memory of 2016 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2104 wrote to memory of 2016 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2704 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2016 wrote to memory of 2856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2704 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2704 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2704 wrote to memory of 2752 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2856 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 2856 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 2856 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 2856 wrote to memory of 2792 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 2792 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2680 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2680 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2680 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2680 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2680 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2680 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2680 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Users\Admin\AppData\Local\Temp\voau.exe

"C:\Users\Admin\AppData\Local\Temp\voau.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB13.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 172.245.208.13:80 172.245.208.13 tcp
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.82.71:7045 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 umarmira055.duckdns.org udp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.82.71:2703 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js

MD5 f1de7f0470e2222ec15f723328552060
SHA1 b91f0dd237e42c86ff2dc9e0703f2c28fc883cc0
SHA256 91b1a960d4812961796fbaf4b68877d0572690c8c61077a6136e5d3353e15322
SHA512 7f8ab3e7fc45d1e6af8d97b659d57ef8dbbdbe0520b431bc74d7e863c7fb616bbfacf32b95d8bb3d1e5a3f8a189c4e3cb99fa1244cdd0ba9132c3a9a9275dece

C:\Users\Admin\AppData\Local\Temp\audiodg.js

MD5 8e0fdb9701abffda2a79eaeddb1c1427
SHA1 5b5b6cea3cf292164ebdf876e51b60ba5693b1eb
SHA256 5c0cf9e91145d26bbdfc0139cd76e1f8c4d2871870bd990caa15b1d812f1b0ca
SHA512 caca005e62bb300a5b283e6b6e77c49c69df9e0a05a63bfb91a3110d670d06deedcaf23f5842444e1c889cff6ad46baf802ebac1f5f2d23075c1b096ff1f604e

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 5b2373801f840f7664798ce88d0d6769
SHA1 d603836aea5d5ccfea8c2c1868245a4195fa0e0e
SHA256 0853c14e5b450f4eeae8e1ac00a84b4fafa7ec84753e23c48e8febd7622eed1d
SHA512 16d7c4fa086219ff3360cf292233a64a86a14bf5656bf845c3d914bfd215598024c1dde21fda7089e02ea50bfd17fb5f157dd17aaa85d12491f6a555d918facf

C:\Users\Admin\AppData\Local\Temp\voau.exe

MD5 47d0cafc6e4b4d441bdc69eee3412b03
SHA1 437215d662e966b7856892124e2ba9c29f00f847
SHA256 0c529b0a3dd07b3ff191fe79f7381ff145987dba1b0ff5a61c0ef2f23e3bcc81
SHA512 47845fe65dcea889a4bf42f0fb0bfcdda5279a5c65707141c81088ca494f6151f40b03bae7cc731625b715bfc09787ae3c45c7788a37c95167e66ae4346d2e0b

memory/2792-27-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2792-26-0x0000000000020000-0x0000000000033000-memory.dmp

memory/2792-28-0x0000000000550000-0x0000000000562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDB13.tmp.bat

MD5 fd68182680dd2041522311e8fdd7b5bd
SHA1 35b418594b725541d65f00fc121a3788c1d91cac
SHA256 1e7c6d89f2ba1d2f18e6b390b36459c2b89eb2fdaba65e92f62f75a4075b1d3f
SHA512 3ff9555ad4bfc91a6ab6531a109b9961c9b702b7fe3db46168928109334acf6043444f3d48eed0316999cdeeb80185aaaebb1719ca211b8c973bb366b3e381cb

memory/2792-38-0x0000000001040000-0x0000000001075000-memory.dmp

memory/2904-46-0x0000000000170000-0x00000000001A5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-25 04:24

Reported

2025-03-25 04:27

Platform

win10v2004-20250313-en

Max time kernel

142s

Max time network

143s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\voau.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|AAF9C3A7|ELDOIJJI|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 25/3/2025|JavaScript N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\voau.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 1960 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 3300 wrote to memory of 1960 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 5376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 5376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 4028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 4028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 5376 wrote to memory of 1252 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 5376 wrote to memory of 1252 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 4028 wrote to memory of 5156 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 4028 wrote to memory of 5156 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 4028 wrote to memory of 5156 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\voau.exe
PID 5156 wrote to memory of 5176 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 5156 wrote to memory of 5176 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 5156 wrote to memory of 5176 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 5156 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 5156 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 5156 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\voau.exe C:\Windows\SysWOW64\cmd.exe
PID 5176 wrote to memory of 5516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5176 wrote to memory of 5516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5176 wrote to memory of 5516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4316 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4316 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4316 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4316 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4316 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4316 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Users\Admin\AppData\Local\Temp\voau.exe

"C:\Users\Admin\AppData\Local\Temp\voau.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C29.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 172.245.208.13:80 172.245.208.13 tcp
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.82.71:7045 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.82.71:2703 chongmei33.publicvm.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js

MD5 f1de7f0470e2222ec15f723328552060
SHA1 b91f0dd237e42c86ff2dc9e0703f2c28fc883cc0
SHA256 91b1a960d4812961796fbaf4b68877d0572690c8c61077a6136e5d3353e15322
SHA512 7f8ab3e7fc45d1e6af8d97b659d57ef8dbbdbe0520b431bc74d7e863c7fb616bbfacf32b95d8bb3d1e5a3f8a189c4e3cb99fa1244cdd0ba9132c3a9a9275dece

C:\Users\Admin\AppData\Local\Temp\audiodg.js

MD5 8e0fdb9701abffda2a79eaeddb1c1427
SHA1 5b5b6cea3cf292164ebdf876e51b60ba5693b1eb
SHA256 5c0cf9e91145d26bbdfc0139cd76e1f8c4d2871870bd990caa15b1d812f1b0ca
SHA512 caca005e62bb300a5b283e6b6e77c49c69df9e0a05a63bfb91a3110d670d06deedcaf23f5842444e1c889cff6ad46baf802ebac1f5f2d23075c1b096ff1f604e

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 5b2373801f840f7664798ce88d0d6769
SHA1 d603836aea5d5ccfea8c2c1868245a4195fa0e0e
SHA256 0853c14e5b450f4eeae8e1ac00a84b4fafa7ec84753e23c48e8febd7622eed1d
SHA512 16d7c4fa086219ff3360cf292233a64a86a14bf5656bf845c3d914bfd215598024c1dde21fda7089e02ea50bfd17fb5f157dd17aaa85d12491f6a555d918facf

C:\Users\Admin\AppData\Local\Temp\voau.exe

MD5 47d0cafc6e4b4d441bdc69eee3412b03
SHA1 437215d662e966b7856892124e2ba9c29f00f847
SHA256 0c529b0a3dd07b3ff191fe79f7381ff145987dba1b0ff5a61c0ef2f23e3bcc81
SHA512 47845fe65dcea889a4bf42f0fb0bfcdda5279a5c65707141c81088ca494f6151f40b03bae7cc731625b715bfc09787ae3c45c7788a37c95167e66ae4346d2e0b

memory/5156-27-0x0000000000A70000-0x0000000000A83000-memory.dmp

memory/5156-28-0x0000000003180000-0x0000000003192000-memory.dmp

memory/5156-29-0x0000000005A50000-0x0000000005AEC000-memory.dmp

memory/5156-34-0x00000000009F0000-0x0000000000A25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3C29.tmp.bat

MD5 bd2d7c42d26dd44744ca185dd9acc385
SHA1 055a1f83f8702934d955f5007e534019a0bf98f6
SHA256 47ab85594f91da25844b35d4bed4ca53c4901bc1872123312428d8223cb70491
SHA512 7c2c0af57bd4b06aed1830a1a978d63c1846173687a3da6257ab1502e910e634263cfff8d004de8f24ebe68e9cf006b32e1fff94d3ac3c83170e011c41d58b0b

memory/856-42-0x0000000006FB0000-0x0000000007554000-memory.dmp

memory/856-43-0x0000000006650000-0x00000000066B6000-memory.dmp

memory/856-44-0x0000000000D00000-0x0000000000D35000-memory.dmp