Malware Analysis Report

2025-04-14 08:20

Sample ID 250328-l97wdawpz2
Target ORDER_253890-5645FD.PDF.001
SHA256 9ea5c3c4853cb66cb692d2f1bd8d6405ca469487e69a6bac3a83a0c1ef64d784
Tags
asyncrat wshrat march-25-5 discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ea5c3c4853cb66cb692d2f1bd8d6405ca469487e69a6bac3a83a0c1ef64d784

Threat Level: Known bad

The file ORDER_253890-5645FD.PDF.001 was found to be: Known bad.

Malicious Activity Summary

asyncrat wshrat march-25-5 discovery execution persistence rat trojan

Wshrat family

Asyncrat family

WSHRAT

AsyncRat

Async RAT payload

Blocklisted process makes network request

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-28 10:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-28 10:15

Reported

2025-03-28 10:17

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.rar"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.rar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-28 10:15

Reported

2025-03-28 10:17

Platform

win10v2004-20250314-en

Max time kernel

106s

Max time network

140s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.rar"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-28 10:15

Reported

2025-03-28 10:17

Platform

win7-20240903-en

Max time kernel

45s

Max time network

90s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 2940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 2940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 2956 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 2956 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1932 wrote to memory of 2956 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2956 wrote to memory of 1452 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 2956 wrote to memory of 1452 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 2956 wrote to memory of 1452 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 2956 wrote to memory of 1452 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 2940 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2940 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2940 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1452 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1516 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1516 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1516 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2556 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2556 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2556 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Users\Admin\AppData\Local\Temp\Sgj.exe

"C:\Users\Admin\AppData\Local\Temp\Sgj.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 umarmira055.duckdns.org udp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
US 192.169.69.26:7031 umarmira055.duckdns.org tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.86.67:2703 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 795dba1c09091b137e2450186b18a7d5
SHA1 313ce45b6aa0fd09fbf904178d214c9fe5096dd4
SHA256 0e780ba89b45b86e561d4dcfa1ed00f253cbc9e98e36b0d12ac89c438dfe9723
SHA512 e4096c66e13626bead3386294adf3c97464bc2e2f43bb37e65f200a0d16d4ceb5950ee5e4f05c8a6fb8ed5ca3ec4e3bc5b35ea271d212d172a040966a6946620

C:\Users\Admin\AppData\Local\Temp\audiodg.js

MD5 3ec7efca47f4105ce048b914d78e83d4
SHA1 33e942be440c609e005402bc33202aa6d6e77356
SHA256 82a498f04739913010ea3bd9b3137a686a5f8bdeb45e3a7d74613ce7e52f7885
SHA512 15ac7476f3bc9af427d30a0652b1d6618bae4076fdd59533754ebdb3234f89d2b9df893b715f7757e2e71eaf208b052d80bd707403e720b15e805c16c503eb32

C:\Users\Admin\AppData\Local\Temp\Sgj.exe

MD5 ece45103465f781d48cdc41a19e7d9cc
SHA1 d7025037bdf2bfb09b3797443ae00d8dbddd4eb7
SHA256 bb6af8f4ac8ab6c14b159b578a5097ad5d7827751230595dd3b2a3c767f3d869
SHA512 4e14419240dbd8ebba468afddf48a70df9d6a55ceaa149eb5873d99aac32eb0aaa5e536791db88d0bdd908eeab6b89d8901687be868ff3b9b0a0b841333f6b15

memory/1452-20-0x00000000012A0000-0x00000000012B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat

MD5 7c1eaac7876caa65aee10a7626d53ccf
SHA1 9227145f666d3551eb5aec34328a63e12ee4b9c8
SHA256 95185c19975cbfb3af5e1c4d2944787dd89be72fb84319dd3a81bb92317ab6bd
SHA512 c9bfeaeaa5b93c0a7e9a07b2127446691fad86b1e9067322fbb9ea8c75356bed22a570c61dd8d034b9891f9438cb2bc8b50fd512ed95f834ebf5888a4bc9f795

memory/2328-33-0x0000000000940000-0x0000000000952000-memory.dmp

memory/604-35-0x0000000004690000-0x0000000004691000-memory.dmp

memory/1864-63-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-28 10:15

Reported

2025-03-28 10:17

Platform

win10v2004-20250314-en

Max time kernel

147s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

WSHRAT

trojan wshrat

Wshrat family

wshrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" C:\Windows\system32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 3900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1572 wrote to memory of 3900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1572 wrote to memory of 2328 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1572 wrote to memory of 2328 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 3900 wrote to memory of 3076 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 3900 wrote to memory of 3076 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2328 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 2328 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 2328 wrote to memory of 5024 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\Sgj.exe
PID 548 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 548 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5764 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5764 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5928 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5928 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4436 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4436 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5620 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5620 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4460 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4460 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5024 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Sgj.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 628 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 628 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 392 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 392 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 392 wrote to memory of 3240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 628 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 628 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 628 wrote to memory of 408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 556 wrote to memory of 5476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 556 wrote to memory of 5476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3432 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3432 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 2728 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 2728 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5204 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5204 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3472 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3472 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5184 wrote to memory of 5260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5184 wrote to memory of 5260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3928 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3928 wrote to memory of 2308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5708 wrote to memory of 5524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5708 wrote to memory of 5524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4300 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4300 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4312 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4312 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3636 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 3636 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 8 wrote to memory of 6040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 8 wrote to memory of 6040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 6072 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 6072 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5652 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 5652 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Users\Admin\AppData\Local\Temp\Sgj.exe

"C:\Users\Admin\AppData\Local\Temp\Sgj.exe"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

C:\Windows\system32\wscript.exe

wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.86.67:2703 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
SE 46.246.86.67:7044 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.myddns.rocks udp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp
SE 46.246.86.67:7044 chongmei33.myddns.rocks tcp

Files

C:\Users\Admin\AppData\Local\Temp\audiodg.js

MD5 3ec7efca47f4105ce048b914d78e83d4
SHA1 33e942be440c609e005402bc33202aa6d6e77356
SHA256 82a498f04739913010ea3bd9b3137a686a5f8bdeb45e3a7d74613ce7e52f7885
SHA512 15ac7476f3bc9af427d30a0652b1d6618bae4076fdd59533754ebdb3234f89d2b9df893b715f7757e2e71eaf208b052d80bd707403e720b15e805c16c503eb32

C:\Users\Admin\AppData\Local\Temp\word.js

MD5 795dba1c09091b137e2450186b18a7d5
SHA1 313ce45b6aa0fd09fbf904178d214c9fe5096dd4
SHA256 0e780ba89b45b86e561d4dcfa1ed00f253cbc9e98e36b0d12ac89c438dfe9723
SHA512 e4096c66e13626bead3386294adf3c97464bc2e2f43bb37e65f200a0d16d4ceb5950ee5e4f05c8a6fb8ed5ca3ec4e3bc5b35ea271d212d172a040966a6946620

C:\Users\Admin\AppData\Local\Temp\Sgj.exe

MD5 ece45103465f781d48cdc41a19e7d9cc
SHA1 d7025037bdf2bfb09b3797443ae00d8dbddd4eb7
SHA256 bb6af8f4ac8ab6c14b159b578a5097ad5d7827751230595dd3b2a3c767f3d869
SHA512 4e14419240dbd8ebba468afddf48a70df9d6a55ceaa149eb5873d99aac32eb0aaa5e536791db88d0bdd908eeab6b89d8901687be868ff3b9b0a0b841333f6b15

memory/5024-25-0x0000000000460000-0x0000000000472000-memory.dmp

memory/5024-26-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat

MD5 7aa9503f86656dfdb639c2415eddfc17
SHA1 8bf4a00997600a42914fceda538c4e2cc4001af0
SHA256 bea7271cd1448a0b218acf70440a0e4a45910f2127fef62be3f889bc55ba5b2d
SHA512 eed21809d164ba8aa0bb4f46474ddf501d4d6779a6f2adc6a70823819db29f11c9edbe23684842b56387785ae48e25e87dc7ea12bf373195815bfe54a2e4c172

memory/408-37-0x0000000006EF0000-0x0000000007494000-memory.dmp

memory/408-38-0x0000000006390000-0x00000000063F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js

MD5 b7417678889aa99107d73ba11b9d2073
SHA1 2faaede854623e3902cf0041c98dd1368bd133a6
SHA256 adc24684eb0c0731188ef83ebd05e0cd531586df3b37b85dfff2d593480985af
SHA512 77a052ed2cd174ecf280652eacf88e0ab796f5aea2516c79f64210f7f38ff6896ba5449ef86c52fa936ac7690648a1ad4119816e8cd78238c957446e3b1452de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js

MD5 9bd0763d02f938f0fd142eb891b0ced9
SHA1 7a63ca818bedb8047964effcd7571c7c049315d2
SHA256 809c071fe3f75b4d5c6fcbb1b58e53bc718cce994bad20f13afdf5539d419f43
SHA512 438798e61f9910b8391199904384bdd3e0c23c2bdff5fb9a6dac46a5dc8b90d4035895d790a938e246b967569be034c2efffd0ab47d2de8be78d60166e1c9615