asyncrat | 1de23c3bc20fc709cedde358b0782aec3373291a758f41ce5baebd8ede500a84

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER#250401-789057.pdf.js
Size

564KB
MD5

169562960a4143f84791abdff608d54d
SHA1

60170c23389a9b995bcec617ceee5ce055157859
SHA256

0a2b59698651ff2b7b94bc9b41fd04482eb5a2e78242227caf3c59c7ce21284b
SHA512

05151182885b7175993fb80eb7f688a89586db58ad7835edbbaa82585ecce29dd427a842b02a074921c2023e93f1e4f91132f6f9e160f995a2c9f778de32bd4b
SSDEEP

3072:AN/053WsFOT+2WoBZ6t0DXm4yLWVPmtxL87ODaqwB:AN/c3FFOTFF6ShLIOB

Score

10^/10

asyncrat wshrat apr-25-2 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

APR-25-2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000002419e-15.dat	family_asyncrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
4	2624	wscript.exe
26	2624	wscript.exe
35	2624	wscript.exe
38	2624	wscript.exe
41	2624	wscript.exe
44	1004	wscript.exe
54	2624	wscript.exe
57	1004	wscript.exe
72	2624	wscript.exe
74	1004	wscript.exe
75	2624	wscript.exe
76	1004	wscript.exe
77	2624	wscript.exe
78	1004	wscript.exe
79	2972	wscript.exe
80	2624	wscript.exe
81	1004	wscript.exe
82	2972	wscript.exe
83	2624	wscript.exe
84	1004	wscript.exe
85	2972	wscript.exe
90	2624	wscript.exe
91	1004	wscript.exe
92	2972	wscript.exe
93	2624	wscript.exe
94	1004	wscript.exe
95	2972	wscript.exe
96	2980	wscript.exe
97	2624	wscript.exe
98	1004	wscript.exe
99	2972	wscript.exe
100	2980	wscript.exe
101	1004	wscript.exe
102	2624	wscript.exe
103	2980	wscript.exe
104	2972	wscript.exe
105	1004	wscript.exe
106	2624	wscript.exe
111	2980	wscript.exe
112	2972	wscript.exe
113	1004	wscript.exe
114	2624	wscript.exe
115	2980	wscript.exe
116	2972	wscript.exe
117	2720	wscript.exe
118	1004	wscript.exe
119	2624	wscript.exe
122	2980	wscript.exe
123	2972	wscript.exe
125	2720	wscript.exe
126	1004	wscript.exe
127	2624	wscript.exe
128	2980	wscript.exe
129	2972	wscript.exe
130	2720	wscript.exe
131	1004	wscript.exe
132	2624	wscript.exe
133	2980	wscript.exe
134	2972	wscript.exe
135	2720	wscript.exe
136	1004	wscript.exe
137	2624	wscript.exe
138	2980	wscript.exe
139	2972	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	dQeU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1936	dQeU.exe
4664	svchost.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dQeU.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3960	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1884	schtasks.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	139	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	144	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	38	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	104	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	125	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	95	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	117	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	143	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	157	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	159	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	41	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	85	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	118	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	153	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	166	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	122	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	138	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	156	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	169	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	92	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	105	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	129	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	44	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	54	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	26	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	155	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	164	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	131	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	149	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	126	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	163	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	165	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	96	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	101	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	134	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	152	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|C6928982\|ISKSVYMX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 2/4/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe
1936	dQeU.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	dQeU.exe
Token: SeDebugPrivilege	4664	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 1804	4512	wscript.exe	88
PID 4512 wrote to memory of 1804	4512	wscript.exe	88
PID 4512 wrote to memory of 1216	4512	wscript.exe	89
PID 4512 wrote to memory of 1216	4512	wscript.exe	89
PID 1804 wrote to memory of 2624	1804	WScript.exe	94
PID 1804 wrote to memory of 2624	1804	WScript.exe	94
PID 1216 wrote to memory of 1936	1216	WScript.exe	95
PID 1216 wrote to memory of 1936	1216	WScript.exe	95
PID 1216 wrote to memory of 1936	1216	WScript.exe	95
PID 2820 wrote to memory of 3060	2820	cmd.exe	104
PID 2820 wrote to memory of 3060	2820	cmd.exe	104
PID 516 wrote to memory of 2720	516	cmd.exe	105
PID 516 wrote to memory of 2720	516	cmd.exe	105
PID 4680 wrote to memory of 4856	4680	cmd.exe	107
PID 4680 wrote to memory of 4856	4680	cmd.exe	107
PID 3492 wrote to memory of 3856	3492	cmd.exe	108
PID 3492 wrote to memory of 3856	3492	cmd.exe	108
PID 212 wrote to memory of 4544	212	cmd.exe	109
PID 212 wrote to memory of 4544	212	cmd.exe	109
PID 4928 wrote to memory of 2036	4928	cmd.exe	110
PID 4928 wrote to memory of 2036	4928	cmd.exe	110
PID 1936 wrote to memory of 4852	1936	dQeU.exe	117
PID 1936 wrote to memory of 4852	1936	dQeU.exe	117
PID 1936 wrote to memory of 4852	1936	dQeU.exe	117
PID 1936 wrote to memory of 5084	1936	dQeU.exe	119
PID 1936 wrote to memory of 5084	1936	dQeU.exe	119
PID 1936 wrote to memory of 5084	1936	dQeU.exe	119
PID 5084 wrote to memory of 3960	5084	cmd.exe	122
PID 5084 wrote to memory of 3960	5084	cmd.exe	122
PID 5084 wrote to memory of 3960	5084	cmd.exe	122
PID 4852 wrote to memory of 1884	4852	cmd.exe	121
PID 4852 wrote to memory of 1884	4852	cmd.exe	121
PID 4852 wrote to memory of 1884	4852	cmd.exe	121
PID 5084 wrote to memory of 4664	5084	cmd.exe	124
PID 5084 wrote to memory of 4664	5084	cmd.exe	124
PID 5084 wrote to memory of 4664	5084	cmd.exe	124
PID 868 wrote to memory of 4636	868	cmd.exe	130
PID 868 wrote to memory of 4636	868	cmd.exe	130
PID 4540 wrote to memory of 4832	4540	cmd.exe	129
PID 4540 wrote to memory of 4832	4540	cmd.exe	129
PID 3364 wrote to memory of 1388	3364	cmd.exe	137
PID 3364 wrote to memory of 1388	3364	cmd.exe	137
PID 2768 wrote to memory of 556	2768	cmd.exe	138
PID 2768 wrote to memory of 556	2768	cmd.exe	138
PID 220 wrote to memory of 3660	220	cmd.exe	143
PID 220 wrote to memory of 3660	220	cmd.exe	143
PID 3344 wrote to memory of 5108	3344	cmd.exe	144
PID 3344 wrote to memory of 5108	3344	cmd.exe	144
PID 2020 wrote to memory of 1004	2020	cmd.exe	149
PID 2020 wrote to memory of 1004	2020	cmd.exe	149
PID 4384 wrote to memory of 1608	4384	cmd.exe	150
PID 4384 wrote to memory of 1608	4384	cmd.exe	150
PID 3204 wrote to memory of 3616	3204	cmd.exe	163
PID 3204 wrote to memory of 3616	3204	cmd.exe	163
PID 4032 wrote to memory of 1856	4032	cmd.exe	164
PID 4032 wrote to memory of 1856	4032	cmd.exe	164
PID 2976 wrote to memory of 2328	2976	cmd.exe	165
PID 2976 wrote to memory of 2328	2976	cmd.exe	165
PID 2752 wrote to memory of 452	2752	cmd.exe	166
PID 2752 wrote to memory of 452	2752	cmd.exe	166
PID 2696 wrote to memory of 4020	2696	cmd.exe	167
PID 2696 wrote to memory of 4020	2696	cmd.exe	167
PID 3088 wrote to memory of 4452	3088	cmd.exe	168
PID 3088 wrote to memory of 4452	3088	cmd.exe	168

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER#250401-789057.pdf.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2624
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\dQeU.exe
    "C:\Users\Admin\AppData\Local\Temp\dQeU.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp611B.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3960
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3996
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3520
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4484
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2472
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4148
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1700
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4432
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4700
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4564
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3364
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4832
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3800
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1716
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1056
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5000
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3800
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3788
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4828
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2804
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4776
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4852
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2200
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2356
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
82KB

MD5
d7daad32d810c4b6455f652de67a4e3e

SHA1
5f1af48da6591ae65ab7fcea7e73e6d23101dcd5

SHA256
8e45e646888123249c03fce29e06e44928ae1b86fdaca0b02cc7b8d1d469d39a

SHA512
389a0675910fb396ee9b7246d948e192bdbbbc35bba0909ce378d4ecc36c44a91428b3034e57821986c70ba591a0133da9c2ecb75b789a83d1d48969bc52aece

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.js

Filesize
305KB

MD5
11e22de2397c579ef9f07cf0d6864c0f

SHA1
f0c6ec48e82058cf2c5cd4be6bfbb36f62e1a7aa

SHA256
7ab11f4b8793b4344b37f74e94e9304b694f97d9c1c2d72a78e6742cfe6025e5

SHA512
9d9ab4de4bb7bb3c2fd7f405057da6eafff630cf20400c7806d6f12ccc1d2b3ab9292b675d1a0472a355338296ef0dec1c3b6641a9865b4d4107341ac36e5da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQeU.exe

Filesize
45KB

MD5
0d37d394c6a68e2ba0c4323c7e676dd5

SHA1
799c19c000fbc14067965ff3ee35223528bf0ea3

SHA256
65f650df96efe0b4f703564698fedee48ab7df20949a885c021ffa985a093fd0

SHA512
886abf21212742f3cbb31852ff2be36d17fe6c970067d41671cba9e402f70ca595ce9984dd8992ee09c0a1c261bb49b76d420888bec913a4779b86e03b473a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp611B.tmp.bat

Filesize
151B

MD5
0252de1d74fb29984c705451193907d2

SHA1
ebd551076e9be76acd1520e65b6e92f261e763e3

SHA256
182c7939aa2d2a815dae900fa935977755a99b6ad0ce9baf336072cdc971065e

SHA512
9464d281034453b0101b69a6fdc8f1f4d6a74c11362b2ab15384e10d6f4a311dbc57c98a6d58af2a0e06edcad318b03e11b124571bb783829a6c1e697c83f0d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js

Filesize
192KB

MD5
65e0a49abc51ffb0a95b8290c88e147f

SHA1
a5b62c1d607c36f15f6e1a3fe9ec796b10c4850a

SHA256
46e81ad2662b9135c730c394d468d47fbe7c7bc2782db282b23f576ef96ea7df

SHA512
0ed1e4c8bc8703b7a424437e082a9fba306b83fd7b76676d175a0eb58250e8fe7e675ef6370da0956bd2b95527c06ac61001275fc51c73622d31b31ed1d512b9

Download Submit
memory/1936-25-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1936-26-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/4664-46-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/4664-47-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download