asyncrat | 9ea5c3c4853cb66cb692d2f1bd8d6405ca469487e69a6bac3a83a0c1ef64d784

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER_253890-5645FD.PDF.js
Size

535KB
MD5

930368ea6f7cd3ed52e3c11ce5a8b84b
SHA1

14205534d961366b4b5650a0bd751366d40e812d
SHA256

890ff9e6467fd6f448189cc6cf0e0f048d116b8fd289cacc6460215702b7b45e
SHA512

5bc116514e447a9edb47c85aa70a2f900241e3920bd8bacf374c78ee6caaa46c4525b7077ca44a69790b21189d48ae74efdd7993db1d728d09c419706c7db629
SSDEEP

3072:vMRy93zMk/wFRTiNy49mDvVHq07vg6fwTuP1c3TS:o82T8UJ7vg6fS0Se

Score

10^/10

asyncrat wshrat march-25-5 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-5

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x0007000000024347-14.dat	family_asyncrat

Blocklisted process makes network request 60 IoCs

flow	pid	Process
9	3076	wscript.exe
32	3076	wscript.exe
36	3076	wscript.exe
37	3076	wscript.exe
51	3076	wscript.exe
52	2308	wscript.exe
64	2308	wscript.exe
65	3076	wscript.exe
66	2308	wscript.exe
67	3076	wscript.exe
68	3076	wscript.exe
69	2308	wscript.exe
73	3076	wscript.exe
74	2308	wscript.exe
75	2000	wscript.exe
76	2308	wscript.exe
77	2000	wscript.exe
78	3076	wscript.exe
79	2308	wscript.exe
80	2000	wscript.exe
81	3076	wscript.exe
82	2308	wscript.exe
83	2000	wscript.exe
84	3076	wscript.exe
89	2308	wscript.exe
91	3076	wscript.exe
92	2000	wscript.exe
93	5252	wscript.exe
94	2308	wscript.exe
97	3076	wscript.exe
98	5252	wscript.exe
99	2000	wscript.exe
101	2308	wscript.exe
102	2000	wscript.exe
103	5252	wscript.exe
104	3076	wscript.exe
105	2308	wscript.exe
106	2000	wscript.exe
107	5252	wscript.exe
108	3076	wscript.exe
109	2308	wscript.exe
110	2000	wscript.exe
111	3076	wscript.exe
112	5252	wscript.exe
114	5588	wscript.exe
115	2308	wscript.exe
116	5588	wscript.exe
117	3076	wscript.exe
118	5252	wscript.exe
119	2000	wscript.exe
120	2308	wscript.exe
121	5588	wscript.exe
122	3076	wscript.exe
123	2000	wscript.exe
124	5252	wscript.exe
125	3076	wscript.exe
126	5252	wscript.exe
127	2000	wscript.exe
128	5588	wscript.exe
129	2308	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Sgj.exe

Drops startup file 19 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
5024	Sgj.exe
408	svchost.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
940	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3240	schtasks.exe

Script User-Agent 60 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	125	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	52	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	66	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	68	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	129	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	37	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	101	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	105	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	80	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	118	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	9	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	65	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	117	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	67	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	108	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	64	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	92	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	32	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	36	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	79	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	109	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	116	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	122	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	126	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	104	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	51	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	81	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	119	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	112	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	106	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript
HTTP User-Agent header	124	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 28/3/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe
5024	Sgj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	Sgj.exe
Token: SeDebugPrivilege	408	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3900	1572	wscript.exe	85
PID 1572 wrote to memory of 3900	1572	wscript.exe	85
PID 1572 wrote to memory of 2328	1572	wscript.exe	86
PID 1572 wrote to memory of 2328	1572	wscript.exe	86
PID 3900 wrote to memory of 3076	3900	WScript.exe	91
PID 3900 wrote to memory of 3076	3900	WScript.exe	91
PID 2328 wrote to memory of 5024	2328	WScript.exe	92
PID 2328 wrote to memory of 5024	2328	WScript.exe	92
PID 2328 wrote to memory of 5024	2328	WScript.exe	92
PID 548 wrote to memory of 2536	548	cmd.exe	93
PID 548 wrote to memory of 2536	548	cmd.exe	93
PID 5764 wrote to memory of 4204	5764	cmd.exe	97
PID 5764 wrote to memory of 4204	5764	cmd.exe	97
PID 5928 wrote to memory of 4612	5928	cmd.exe	104
PID 5928 wrote to memory of 4612	5928	cmd.exe	104
PID 4436 wrote to memory of 4644	4436	cmd.exe	105
PID 4436 wrote to memory of 4644	4436	cmd.exe	105
PID 5620 wrote to memory of 4652	5620	cmd.exe	106
PID 5620 wrote to memory of 4652	5620	cmd.exe	106
PID 4460 wrote to memory of 4684	4460	cmd.exe	107
PID 4460 wrote to memory of 4684	4460	cmd.exe	107
PID 5024 wrote to memory of 392	5024	Sgj.exe	114
PID 5024 wrote to memory of 392	5024	Sgj.exe	114
PID 5024 wrote to memory of 392	5024	Sgj.exe	114
PID 5024 wrote to memory of 628	5024	Sgj.exe	116
PID 5024 wrote to memory of 628	5024	Sgj.exe	116
PID 5024 wrote to memory of 628	5024	Sgj.exe	116
PID 628 wrote to memory of 940	628	cmd.exe	118
PID 628 wrote to memory of 940	628	cmd.exe	118
PID 628 wrote to memory of 940	628	cmd.exe	118
PID 392 wrote to memory of 3240	392	cmd.exe	119
PID 392 wrote to memory of 3240	392	cmd.exe	119
PID 392 wrote to memory of 3240	392	cmd.exe	119
PID 628 wrote to memory of 408	628	cmd.exe	121
PID 628 wrote to memory of 408	628	cmd.exe	121
PID 628 wrote to memory of 408	628	cmd.exe	121
PID 556 wrote to memory of 5476	556	cmd.exe	128
PID 556 wrote to memory of 5476	556	cmd.exe	128
PID 3432 wrote to memory of 3980	3432	cmd.exe	129
PID 3432 wrote to memory of 3980	3432	cmd.exe	129
PID 2728 wrote to memory of 3068	2728	cmd.exe	134
PID 2728 wrote to memory of 3068	2728	cmd.exe	134
PID 5204 wrote to memory of 3920	5204	cmd.exe	135
PID 5204 wrote to memory of 3920	5204	cmd.exe	135
PID 3472 wrote to memory of 1360	3472	cmd.exe	140
PID 3472 wrote to memory of 1360	3472	cmd.exe	140
PID 5184 wrote to memory of 5260	5184	cmd.exe	141
PID 5184 wrote to memory of 5260	5184	cmd.exe	141
PID 3928 wrote to memory of 2308	3928	cmd.exe	148
PID 3928 wrote to memory of 2308	3928	cmd.exe	148
PID 5708 wrote to memory of 5524	5708	cmd.exe	149
PID 5708 wrote to memory of 5524	5708	cmd.exe	149
PID 4300 wrote to memory of 4388	4300	cmd.exe	162
PID 4300 wrote to memory of 4388	4300	cmd.exe	162
PID 4312 wrote to memory of 2692	4312	cmd.exe	164
PID 4312 wrote to memory of 2692	4312	cmd.exe	164
PID 3636 wrote to memory of 2916	3636	cmd.exe	163
PID 3636 wrote to memory of 2916	3636	cmd.exe	163
PID 8 wrote to memory of 6040	8	cmd.exe	165
PID 8 wrote to memory of 6040	8	cmd.exe	165
PID 6072 wrote to memory of 3320	6072	cmd.exe	166
PID 6072 wrote to memory of 3320	6072	cmd.exe	166
PID 5652 wrote to memory of 4712	5652	cmd.exe	167
PID 5652 wrote to memory of 4712	5652	cmd.exe	167

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:3076
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\Sgj.exe
    "C:\Users\Admin\AppData\Local\Temp\Sgj.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:940
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5684
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3268
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4336
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4800
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5280
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3508
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2776
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5760
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2268
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3120
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5640
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sgj.exe

Filesize
45KB

MD5
ece45103465f781d48cdc41a19e7d9cc

SHA1
d7025037bdf2bfb09b3797443ae00d8dbddd4eb7

SHA256
bb6af8f4ac8ab6c14b159b578a5097ad5d7827751230595dd3b2a3c767f3d869

SHA512
4e14419240dbd8ebba468afddf48a70df9d6a55ceaa149eb5873d99aac32eb0aaa5e536791db88d0bdd908eeab6b89d8901687be868ff3b9b0a0b841333f6b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.js

Filesize
283KB

MD5
3ec7efca47f4105ce048b914d78e83d4

SHA1
33e942be440c609e005402bc33202aa6d6e77356

SHA256
82a498f04739913010ea3bd9b3137a686a5f8bdeb45e3a7d74613ce7e52f7885

SHA512
15ac7476f3bc9af427d30a0652b1d6618bae4076fdd59533754ebdb3234f89d2b9df893b715f7757e2e71eaf208b052d80bd707403e720b15e805c16c503eb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp71B5.tmp.bat

Filesize
151B

MD5
7aa9503f86656dfdb639c2415eddfc17

SHA1
8bf4a00997600a42914fceda538c4e2cc4001af0

SHA256
bea7271cd1448a0b218acf70440a0e4a45910f2127fef62be3f889bc55ba5b2d

SHA512
eed21809d164ba8aa0bb4f46474ddf501d4d6779a6f2adc6a70823819db29f11c9edbe23684842b56387785ae48e25e87dc7ea12bf373195815bfe54a2e4c172

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
82KB

MD5
795dba1c09091b137e2450186b18a7d5

SHA1
313ce45b6aa0fd09fbf904178d214c9fe5096dd4

SHA256
0e780ba89b45b86e561d4dcfa1ed00f253cbc9e98e36b0d12ac89c438dfe9723

SHA512
e4096c66e13626bead3386294adf3c97464bc2e2f43bb37e65f200a0d16d4ceb5950ee5e4f05c8a6fb8ed5ca3ec4e3bc5b35ea271d212d172a040966a6946620

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js

Filesize
192KB

MD5
b7417678889aa99107d73ba11b9d2073

SHA1
2faaede854623e3902cf0041c98dd1368bd133a6

SHA256
adc24684eb0c0731188ef83ebd05e0cd531586df3b37b85dfff2d593480985af

SHA512
77a052ed2cd174ecf280652eacf88e0ab796f5aea2516c79f64210f7f38ff6896ba5449ef86c52fa936ac7690648a1ad4119816e8cd78238c957446e3b1452de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js

Filesize
64KB

MD5
9bd0763d02f938f0fd142eb891b0ced9

SHA1
7a63ca818bedb8047964effcd7571c7c049315d2

SHA256
809c071fe3f75b4d5c6fcbb1b58e53bc718cce994bad20f13afdf5539d419f43

SHA512
438798e61f9910b8391199904384bdd3e0c23c2bdff5fb9a6dac46a5dc8b90d4035895d790a938e246b967569be034c2efffd0ab47d2de8be78d60166e1c9615

Download Submit
memory/408-37-0x0000000006EF0000-0x0000000007494000-memory.dmp

Filesize
5.6MB

Download
memory/408-38-0x0000000006390000-0x00000000063F6000-memory.dmp

Filesize
408KB

Download
memory/5024-25-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/5024-26-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download