asyncrat | 7bbb3b5cc257f954203a6ead2bb941b09666acff08275fd91648799b157ca122

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-285663-OO25331.js
Size

563KB
MD5

cb870a9367b7dba2141abf3a067592ec
SHA1

223570f201a79c3412eeee0b0a2225ded3f4e198
SHA256

7bbb3b5cc257f954203a6ead2bb941b09666acff08275fd91648799b157ca122
SHA512

0734fbfb61aa814f1fff537729ee28da83f74d82a4f5ee2aab9c1c4dfa179124ac17ad8d254af0e0fa445faeac515bf542b17fe47565dfe3cf8db037479ce57d
SSDEEP

6144:1ivcBxisYZEXRog9zS16WF37JUBfGSZDMX:1NRYSCIzS0O3dUBVQX

Score

10^/10

asyncrat wshrat march-25-5 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-5

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7045

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000024241-14.dat	family_asyncrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
7	220	wscript.exe
27	220	wscript.exe
36	220	wscript.exe
38	220	wscript.exe
40	220	wscript.exe
41	4300	wscript.exe
57	220	wscript.exe
58	4300	wscript.exe
75	220	wscript.exe
76	4300	wscript.exe
77	220	wscript.exe
78	4300	wscript.exe
79	220	wscript.exe
80	4300	wscript.exe
81	6128	wscript.exe
82	220	wscript.exe
83	4300	wscript.exe
84	6128	wscript.exe
88	220	wscript.exe
89	4300	wscript.exe
90	6128	wscript.exe
91	220	wscript.exe
92	4300	wscript.exe
93	6128	wscript.exe
94	220	wscript.exe
95	4300	wscript.exe
96	6128	wscript.exe
97	2440	wscript.exe
98	220	wscript.exe
99	4300	wscript.exe
100	6128	wscript.exe
101	2440	wscript.exe
102	220	wscript.exe
103	4300	wscript.exe
108	6128	wscript.exe
109	2440	wscript.exe
111	220	wscript.exe
112	4300	wscript.exe
113	6128	wscript.exe
114	2440	wscript.exe
115	220	wscript.exe
116	4300	wscript.exe
119	6128	wscript.exe
120	2440	wscript.exe
121	5532	wscript.exe
123	220	wscript.exe
124	4300	wscript.exe
125	6128	wscript.exe
126	2440	wscript.exe
127	5532	wscript.exe
128	220	wscript.exe
129	4300	wscript.exe
130	6128	wscript.exe
131	2440	wscript.exe
132	5532	wscript.exe
133	220	wscript.exe
134	4300	wscript.exe
135	6128	wscript.exe
136	2440	wscript.exe
137	5532	wscript.exe
138	220	wscript.exe
139	4300	wscript.exe
140	6128	wscript.exe
141	2440	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Sjn.exe

Drops startup file 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4940	Sjn.exe
2704	svchost.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4268	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3904	schtasks.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	101	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	27	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	36	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	141	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	152	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	116	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	143	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	160	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	113	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	159	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	142	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	155	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	156	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	92	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	125	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	134	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	40	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	100	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	108	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	135	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	161	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	129	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	119	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	149	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	133	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	147	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	148	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	88	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	139	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	79	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	81	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	154	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	157	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|A08D8C4D\|EPFPAFGQ\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 31/3/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe
4940	Sjn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	Sjn.exe
Token: SeDebugPrivilege	2704	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3168	2840	wscript.exe	86
PID 2840 wrote to memory of 3168	2840	wscript.exe	86
PID 2840 wrote to memory of 1816	2840	wscript.exe	87
PID 2840 wrote to memory of 1816	2840	wscript.exe	87
PID 3168 wrote to memory of 220	3168	WScript.exe	92
PID 3168 wrote to memory of 220	3168	WScript.exe	92
PID 1816 wrote to memory of 4940	1816	WScript.exe	93
PID 1816 wrote to memory of 4940	1816	WScript.exe	93
PID 1816 wrote to memory of 4940	1816	WScript.exe	93
PID 512 wrote to memory of 4116	512	cmd.exe	94
PID 512 wrote to memory of 4116	512	cmd.exe	94
PID 5596 wrote to memory of 536	5596	cmd.exe	95
PID 5596 wrote to memory of 536	5596	cmd.exe	95
PID 4820 wrote to memory of 1664	4820	cmd.exe	112
PID 4820 wrote to memory of 1664	4820	cmd.exe	112
PID 4720 wrote to memory of 5096	4720	cmd.exe	114
PID 4720 wrote to memory of 5096	4720	cmd.exe	114
PID 4912 wrote to memory of 5024	4912	cmd.exe	115
PID 4912 wrote to memory of 5024	4912	cmd.exe	115
PID 5068 wrote to memory of 2556	5068	cmd.exe	116
PID 5068 wrote to memory of 2556	5068	cmd.exe	116
PID 5052 wrote to memory of 4960	5052	cmd.exe	117
PID 5052 wrote to memory of 4960	5052	cmd.exe	117
PID 4784 wrote to memory of 6036	4784	cmd.exe	118
PID 4784 wrote to memory of 6036	4784	cmd.exe	118
PID 4976 wrote to memory of 6100	4976	cmd.exe	119
PID 4976 wrote to memory of 6100	4976	cmd.exe	119
PID 4732 wrote to memory of 6032	4732	cmd.exe	120
PID 4732 wrote to memory of 6032	4732	cmd.exe	120
PID 4940 wrote to memory of 4020	4940	Sjn.exe	127
PID 4940 wrote to memory of 4020	4940	Sjn.exe	127
PID 4940 wrote to memory of 4020	4940	Sjn.exe	127
PID 4940 wrote to memory of 3248	4940	Sjn.exe	129
PID 4940 wrote to memory of 3248	4940	Sjn.exe	129
PID 4940 wrote to memory of 3248	4940	Sjn.exe	129
PID 4020 wrote to memory of 3904	4020	cmd.exe	131
PID 4020 wrote to memory of 3904	4020	cmd.exe	131
PID 4020 wrote to memory of 3904	4020	cmd.exe	131
PID 3248 wrote to memory of 4268	3248	cmd.exe	132
PID 3248 wrote to memory of 4268	3248	cmd.exe	132
PID 3248 wrote to memory of 4268	3248	cmd.exe	132
PID 3248 wrote to memory of 2704	3248	cmd.exe	134
PID 3248 wrote to memory of 2704	3248	cmd.exe	134
PID 3248 wrote to memory of 2704	3248	cmd.exe	134
PID 2892 wrote to memory of 1348	2892	cmd.exe	139
PID 2892 wrote to memory of 1348	2892	cmd.exe	139
PID 3148 wrote to memory of 4180	3148	cmd.exe	140
PID 3148 wrote to memory of 4180	3148	cmd.exe	140
PID 1892 wrote to memory of 5900	1892	cmd.exe	147
PID 1892 wrote to memory of 5900	1892	cmd.exe	147
PID 2588 wrote to memory of 3640	2588	cmd.exe	148
PID 2588 wrote to memory of 3640	2588	cmd.exe	148
PID 1636 wrote to memory of 5576	1636	cmd.exe	153
PID 1636 wrote to memory of 5576	1636	cmd.exe	153
PID 5592 wrote to memory of 5800	5592	cmd.exe	154
PID 5592 wrote to memory of 5800	5592	cmd.exe	154
PID 6048 wrote to memory of 4300	6048	cmd.exe	159
PID 6048 wrote to memory of 4300	6048	cmd.exe	159
PID 1544 wrote to memory of 868	1544	cmd.exe	173
PID 1544 wrote to memory of 868	1544	cmd.exe	173
PID 528 wrote to memory of 2980	528	cmd.exe	174
PID 528 wrote to memory of 2980	528	cmd.exe	174
PID 4768 wrote to memory of 3196	4768	cmd.exe	175
PID 4768 wrote to memory of 3196	4768	cmd.exe	175

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-285663-OO25331.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Sjn.exe
    "C:\Users\Admin\AppData\Local\Temp\Sjn.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3640
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1988
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4788
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1508
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4028
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4700
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2248
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:988
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3168
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4684
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4852
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:760
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1296
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2280
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1392
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4624
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2896
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4156
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1564
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2000
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1168
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sjn.exe

Filesize
45KB

MD5
f30e55bf9625369bc13b7101a7b62297

SHA1
12e4dafe9c846c7dc1097c4ae1fbb99ad20105cc

SHA256
1a9257ef826724ab8008c0ee6b7597a252a2aaf04b5ea9c0a0e1a316809111a5

SHA512
b378994feb757e74a7b4b2e19469d219fd06421921bf842425d54139e99c6304a045e7c8512786c5c55b2be7ffe3b57afac748c6e0ba34747f1ed28ab7404026

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
82KB

MD5
cfc8bb79ab87c1ee22a8441f1ee32517

SHA1
242a9cdbd612398edbf28876b607315fc3371d7b

SHA256
9d408e74f954a5ef232750708c12029eee9cefd56e7c1a3a446df31f35958da6

SHA512
71f96cc15ffad27e6f89bf6146e3ff4e198e2f2c5c8597a240eb76398f318089da46c6f26c9c17f13426bf068d85a67a85c8a71fecfec2244d75bb8df63f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.js

Filesize
305KB

MD5
0bb50ed07792c6299fd298f06d4aca2c

SHA1
ca33fff5b123bbe9e5ec737a36e1bf9f5e3d0c21

SHA256
38f77ca7add59c039b0a723918e0d2336e903e591a9a3ac88ffe50af1513a609

SHA512
753789c7e840009a07c7d4504d800a25a4648b1e5ee3bf64aaf7f13b6fd9f480ee3af2dfb8eda1076c8bc2f3c02d427826d7be1d23d40d6c4f7899d2f3521bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat

Filesize
154B

MD5
e5b50da01d56bd4d5691753fbb053906

SHA1
b4294037b721ae0dcecd7de8fd593e6a156bd852

SHA256
0e56750032118c650ca7157270db7c3b4e97adca972a3ff2f4fc8f82f5997543

SHA512
bc430e19ee486f133d238af1b9393ff6a842faa1bbb9c371585ba345329122c17cf030992638ae3c814721a6b02cc4a2ad9687866bc95a24bcb25013f790c564

Download Submit
memory/2704-53-0x00000000063B0000-0x0000000006954000-memory.dmp

Filesize
5.6MB

Download
memory/2704-54-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4940-27-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/4940-30-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download