Analysis Overview
SHA256
9ea5c3c4853cb66cb692d2f1bd8d6405ca469487e69a6bac3a83a0c1ef64d784
Threat Level: Known bad
The file ORDER_253890-5645FD.PDF.001 was found to be: Known bad.
Malicious Activity Summary
Wshrat family
Asyncrat family
WSHRAT
AsyncRat
Async RAT payload
Blocklisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-28 10:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-28 10:15
Reported
2025-03-28 10:17
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-28 10:15
Reported
2025-03-28 10:17
Platform
win10v2004-20250314-en
Max time kernel
106s
Max time network
140s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-28 10:15
Reported
2025-03-28 10:17
Platform
win7-20240903-en
Max time kernel
45s
Max time network
90s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|B4BE3DCB|KHBTHJFA|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
C:\Users\Admin\AppData\Local\Temp\Sgj.exe
"C:\Users\Admin\AppData\Local\Temp\Sgj.exe"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chongmei33.myddns.rocks | udp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| US | 8.8.8.8:53 | umarmira055.duckdns.org | udp |
| US | 192.169.69.26:7031 | umarmira055.duckdns.org | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| US | 192.169.69.26:7031 | umarmira055.duckdns.org | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| US | 192.169.69.26:7031 | umarmira055.duckdns.org | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.86.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\word.js
| MD5 | 795dba1c09091b137e2450186b18a7d5 |
| SHA1 | 313ce45b6aa0fd09fbf904178d214c9fe5096dd4 |
| SHA256 | 0e780ba89b45b86e561d4dcfa1ed00f253cbc9e98e36b0d12ac89c438dfe9723 |
| SHA512 | e4096c66e13626bead3386294adf3c97464bc2e2f43bb37e65f200a0d16d4ceb5950ee5e4f05c8a6fb8ed5ca3ec4e3bc5b35ea271d212d172a040966a6946620 |
C:\Users\Admin\AppData\Local\Temp\audiodg.js
| MD5 | 3ec7efca47f4105ce048b914d78e83d4 |
| SHA1 | 33e942be440c609e005402bc33202aa6d6e77356 |
| SHA256 | 82a498f04739913010ea3bd9b3137a686a5f8bdeb45e3a7d74613ce7e52f7885 |
| SHA512 | 15ac7476f3bc9af427d30a0652b1d6618bae4076fdd59533754ebdb3234f89d2b9df893b715f7757e2e71eaf208b052d80bd707403e720b15e805c16c503eb32 |
C:\Users\Admin\AppData\Local\Temp\Sgj.exe
| MD5 | ece45103465f781d48cdc41a19e7d9cc |
| SHA1 | d7025037bdf2bfb09b3797443ae00d8dbddd4eb7 |
| SHA256 | bb6af8f4ac8ab6c14b159b578a5097ad5d7827751230595dd3b2a3c767f3d869 |
| SHA512 | 4e14419240dbd8ebba468afddf48a70df9d6a55ceaa149eb5873d99aac32eb0aaa5e536791db88d0bdd908eeab6b89d8901687be868ff3b9b0a0b841333f6b15 |
memory/1452-20-0x00000000012A0000-0x00000000012B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat
| MD5 | 7c1eaac7876caa65aee10a7626d53ccf |
| SHA1 | 9227145f666d3551eb5aec34328a63e12ee4b9c8 |
| SHA256 | 95185c19975cbfb3af5e1c4d2944787dd89be72fb84319dd3a81bb92317ab6bd |
| SHA512 | c9bfeaeaa5b93c0a7e9a07b2127446691fad86b1e9067322fbb9ea8c75356bed22a570c61dd8d034b9891f9438cb2bc8b50fd512ed95f834ebf5888a4bc9f795 |
memory/2328-33-0x0000000000940000-0x0000000000952000-memory.dmp
memory/604-35-0x0000000004690000-0x0000000004691000-memory.dmp
memory/1864-63-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-03-28 10:15
Reported
2025-03-28 10:17
Platform
win10v2004-20250314-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\"" | C:\Windows\system32\wscript.exe | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|4AA2680D|JXPVMCYC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 28/3/2025|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Sgj.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Users\Admin\AppData\Local\Temp\Sgj.exe
"C:\Users\Admin\AppData\Local\Temp\Sgj.exe"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
C:\Windows\system32\wscript.exe
wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chongmei33.myddns.rocks | udp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.86.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.86.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.myddns.rocks | udp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
| SE | 46.246.86.67:7044 | chongmei33.myddns.rocks | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\audiodg.js
| MD5 | 3ec7efca47f4105ce048b914d78e83d4 |
| SHA1 | 33e942be440c609e005402bc33202aa6d6e77356 |
| SHA256 | 82a498f04739913010ea3bd9b3137a686a5f8bdeb45e3a7d74613ce7e52f7885 |
| SHA512 | 15ac7476f3bc9af427d30a0652b1d6618bae4076fdd59533754ebdb3234f89d2b9df893b715f7757e2e71eaf208b052d80bd707403e720b15e805c16c503eb32 |
C:\Users\Admin\AppData\Local\Temp\word.js
| MD5 | 795dba1c09091b137e2450186b18a7d5 |
| SHA1 | 313ce45b6aa0fd09fbf904178d214c9fe5096dd4 |
| SHA256 | 0e780ba89b45b86e561d4dcfa1ed00f253cbc9e98e36b0d12ac89c438dfe9723 |
| SHA512 | e4096c66e13626bead3386294adf3c97464bc2e2f43bb37e65f200a0d16d4ceb5950ee5e4f05c8a6fb8ed5ca3ec4e3bc5b35ea271d212d172a040966a6946620 |
C:\Users\Admin\AppData\Local\Temp\Sgj.exe
| MD5 | ece45103465f781d48cdc41a19e7d9cc |
| SHA1 | d7025037bdf2bfb09b3797443ae00d8dbddd4eb7 |
| SHA256 | bb6af8f4ac8ab6c14b159b578a5097ad5d7827751230595dd3b2a3c767f3d869 |
| SHA512 | 4e14419240dbd8ebba468afddf48a70df9d6a55ceaa149eb5873d99aac32eb0aaa5e536791db88d0bdd908eeab6b89d8901687be868ff3b9b0a0b841333f6b15 |
memory/5024-25-0x0000000000460000-0x0000000000472000-memory.dmp
memory/5024-26-0x0000000004CD0000-0x0000000004D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat
| MD5 | 7aa9503f86656dfdb639c2415eddfc17 |
| SHA1 | 8bf4a00997600a42914fceda538c4e2cc4001af0 |
| SHA256 | bea7271cd1448a0b218acf70440a0e4a45910f2127fef62be3f889bc55ba5b2d |
| SHA512 | eed21809d164ba8aa0bb4f46474ddf501d4d6779a6f2adc6a70823819db29f11c9edbe23684842b56387785ae48e25e87dc7ea12bf373195815bfe54a2e4c172 |
memory/408-37-0x0000000006EF0000-0x0000000007494000-memory.dmp
memory/408-38-0x0000000006390000-0x00000000063F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js
| MD5 | b7417678889aa99107d73ba11b9d2073 |
| SHA1 | 2faaede854623e3902cf0041c98dd1368bd133a6 |
| SHA256 | adc24684eb0c0731188ef83ebd05e0cd531586df3b37b85dfff2d593480985af |
| SHA512 | 77a052ed2cd174ecf280652eacf88e0ab796f5aea2516c79f64210f7f38ff6896ba5449ef86c52fa936ac7690648a1ad4119816e8cd78238c957446e3b1452de |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js
| MD5 | 9bd0763d02f938f0fd142eb891b0ced9 |
| SHA1 | 7a63ca818bedb8047964effcd7571c7c049315d2 |
| SHA256 | 809c071fe3f75b4d5c6fcbb1b58e53bc718cce994bad20f13afdf5539d419f43 |
| SHA512 | 438798e61f9910b8391199904384bdd3e0c23c2bdff5fb9a6dac46a5dc8b90d4035895d790a938e246b967569be034c2efffd0ab47d2de8be78d60166e1c9615 |