asyncrat | 60667b8d0b8ed46c3b023dfec70fad2f24cb4bdd15060db90e6176e67ca09c76

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-018654-002504.js
Size

6KB
MD5

7352df5a14aecba54ac07136a27f96e6
SHA1

44a686b3acdeae3d0c704d8dc2618d31029c2fee
SHA256

60667b8d0b8ed46c3b023dfec70fad2f24cb4bdd15060db90e6176e67ca09c76
SHA512

4b89b36c30d5f3d0482300d5726d7eea8a283a930f2e959f9b15d37a04ba69a96ab9038da6159014b312e32f3d9cf8556369542efc16b72e7cb1b59feb60587b
SSDEEP

96:wxjwyH4VwotBhKk5a7wof1AwwyHkps6iAaqg3BBi7o2XqwyH5RTuptSupKqupcak:1o9XUGPIYGiU8gh

Score

10^/10

asyncrat wshrat default discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

lee44.kozow.com:4869

lee44.kozow.com:50472

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
audiondg.exe
install_folder
%AppData%

aes.plain

Extracted

Family

wshrat

http://lee44.kozow.com:6892

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/4468-27-0x0000000002F10000-0x0000000002F22000-memory.dmp	family_asyncrat
behavioral1/memory/5224-39-0x0000000003210000-0x0000000003222000-memory.dmp	family_asyncrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
1	2220	wscript.exe
26	5568	wscript.exe
30	5568	wscript.exe
37	5568	wscript.exe
39	5568	wscript.exe
40	5568	wscript.exe
41	5464	wscript.exe
42	5568	wscript.exe
43	5464	wscript.exe
72	5568	wscript.exe
73	5464	wscript.exe
74	5568	wscript.exe
75	5464	wscript.exe
76	5568	wscript.exe
77	5464	wscript.exe
78	6024	wscript.exe
79	5568	wscript.exe
80	5464	wscript.exe
81	6024	wscript.exe
82	5568	wscript.exe
83	5464	wscript.exe
84	6024	wscript.exe
85	5568	wscript.exe
88	5464	wscript.exe
93	6024	wscript.exe
96	5568	wscript.exe
97	5464	wscript.exe
98	6024	wscript.exe
99	4256	wscript.exe
100	5568	wscript.exe
101	5464	wscript.exe
102	6024	wscript.exe
103	4256	wscript.exe
104	5568	wscript.exe
105	5464	wscript.exe
106	6024	wscript.exe
107	4256	wscript.exe
108	5568	wscript.exe
109	5464	wscript.exe
110	6024	wscript.exe
111	4256	wscript.exe
112	5568	wscript.exe
113	5464	wscript.exe
114	6024	wscript.exe
115	4256	wscript.exe
116	4968	wscript.exe
117	5568	wscript.exe
118	5464	wscript.exe
119	6024	wscript.exe
120	4256	wscript.exe
121	4968	wscript.exe
122	5568	wscript.exe
123	5464	wscript.exe
124	6024	wscript.exe
125	4256	wscript.exe
126	4968	wscript.exe
130	5568	wscript.exe
131	5464	wscript.exe
132	6024	wscript.exe
133	4256	wscript.exe
134	4968	wscript.exe
135	5464	wscript.exe
136	6024	wscript.exe
137	4256	wscript.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	hSc.exe

Drops startup file 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4468	hSc.exe
5224	audiondg.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiondg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hSc.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3992	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3600	schtasks.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	99	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	122	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	145	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	167	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	105	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	125	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	138	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	150	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	152	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	173	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	140	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	169	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	112	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	135	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	141	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	179	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	183	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	39	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	109	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	117	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	159	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	161	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	174	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	119	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	166	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	172	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	175	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	177	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	43	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	81	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	85	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	118	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	181	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	30	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	40	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	106	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	164	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	182	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	26	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	88	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	104	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	136	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	171	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	178	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	41	WSHRAT\|4E8B487B\|QQDZFYSF\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe
4468	hSc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	hSc.exe
Token: SeDebugPrivilege	5224	audiondg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4352	2220	wscript.exe	89
PID 2220 wrote to memory of 4352	2220	wscript.exe	89
PID 4352 wrote to memory of 5856	4352	WScript.exe	90
PID 4352 wrote to memory of 5856	4352	WScript.exe	90
PID 4352 wrote to memory of 4676	4352	WScript.exe	91
PID 4352 wrote to memory of 4676	4352	WScript.exe	91
PID 5856 wrote to memory of 5568	5856	WScript.exe	96
PID 5856 wrote to memory of 5568	5856	WScript.exe	96
PID 4676 wrote to memory of 4468	4676	WScript.exe	97
PID 4676 wrote to memory of 4468	4676	WScript.exe	97
PID 4676 wrote to memory of 4468	4676	WScript.exe	97
PID 4840 wrote to memory of 5084	4840	cmd.exe	105
PID 4840 wrote to memory of 5084	4840	cmd.exe	105
PID 4804 wrote to memory of 4996	4804	cmd.exe	107
PID 4804 wrote to memory of 4996	4804	cmd.exe	107
PID 4960 wrote to memory of 4672	4960	cmd.exe	109
PID 4960 wrote to memory of 4672	4960	cmd.exe	109
PID 4984 wrote to memory of 968	4984	cmd.exe	110
PID 4984 wrote to memory of 968	4984	cmd.exe	110
PID 4988 wrote to memory of 5040	4988	cmd.exe	111
PID 4988 wrote to memory of 5040	4988	cmd.exe	111
PID 4944 wrote to memory of 5736	4944	cmd.exe	112
PID 4944 wrote to memory of 5736	4944	cmd.exe	112
PID 4468 wrote to memory of 4400	4468	hSc.exe	116
PID 4468 wrote to memory of 4400	4468	hSc.exe	116
PID 4468 wrote to memory of 4400	4468	hSc.exe	116
PID 4468 wrote to memory of 5444	4468	hSc.exe	118
PID 4468 wrote to memory of 5444	4468	hSc.exe	118
PID 4468 wrote to memory of 5444	4468	hSc.exe	118
PID 4400 wrote to memory of 3600	4400	cmd.exe	120
PID 4400 wrote to memory of 3600	4400	cmd.exe	120
PID 4400 wrote to memory of 3600	4400	cmd.exe	120
PID 5444 wrote to memory of 3992	5444	cmd.exe	121
PID 5444 wrote to memory of 3992	5444	cmd.exe	121
PID 5444 wrote to memory of 3992	5444	cmd.exe	121
PID 4596 wrote to memory of 3588	4596	cmd.exe	126
PID 4596 wrote to memory of 3588	4596	cmd.exe	126
PID 1260 wrote to memory of 1064	1260	cmd.exe	127
PID 1260 wrote to memory of 1064	1260	cmd.exe	127
PID 5444 wrote to memory of 5224	5444	cmd.exe	129
PID 5444 wrote to memory of 5224	5444	cmd.exe	129
PID 5444 wrote to memory of 5224	5444	cmd.exe	129
PID 2680 wrote to memory of 2600	2680	cmd.exe	136
PID 2680 wrote to memory of 2600	2680	cmd.exe	136
PID 4608 wrote to memory of 3264	4608	cmd.exe	137
PID 4608 wrote to memory of 3264	4608	cmd.exe	137
PID 5292 wrote to memory of 5144	5292	cmd.exe	142
PID 5292 wrote to memory of 5144	5292	cmd.exe	142
PID 4628 wrote to memory of 4144	4628	cmd.exe	143
PID 4628 wrote to memory of 4144	4628	cmd.exe	143
PID 2924 wrote to memory of 5464	2924	cmd.exe	148
PID 2924 wrote to memory of 5464	2924	cmd.exe	148
PID 5300 wrote to memory of 5572	5300	cmd.exe	149
PID 5300 wrote to memory of 5572	5300	cmd.exe	149
PID 3868 wrote to memory of 4796	3868	cmd.exe	162
PID 3868 wrote to memory of 4796	3868	cmd.exe	162
PID 5448 wrote to memory of 4692	5448	cmd.exe	163
PID 5448 wrote to memory of 4692	5448	cmd.exe	163
PID 5624 wrote to memory of 4916	5624	cmd.exe	164
PID 5624 wrote to memory of 4916	5624	cmd.exe	164
PID 5592 wrote to memory of 4832	5592	cmd.exe	165
PID 5592 wrote to memory of 4832	5592	cmd.exe	165
PID 548 wrote to memory of 3516	548	cmd.exe	166
PID 548 wrote to memory of 3516	548	cmd.exe	166

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-018654-002504.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SFLYUC.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5856
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:5568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\hSc.exe
      "C:\Users\Admin\AppData\Local\Temp\hSc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audiondg" /tr '"C:\Users\Admin\AppData\Roaming\audiondg.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "audiondg" /tr '"C:\Users\Admin\AppData\Roaming\audiondg.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5444
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3992
      - C:\Users\Admin\AppData\Roaming\audiondg.exe
        
        "C:\Users\Admin\AppData\Roaming\audiondg.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5624
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4328
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:772
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5484
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5432
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3248
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4600
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2600
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1192
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3716
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5392
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5196
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4328
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5200
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4296
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1156
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1180
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4760
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6028
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:32
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SFLYUC.js

Filesize
638KB

MD5
bd23f21674639eea532fc311b8f87168

SHA1
522a842c7189a8d9f890c9999a8efaa6ab21301b

SHA256
791ffa07e016eec3dd14fd160f6833f147c6b8a835fdf2154bbfa29da405bc2a

SHA512
60546662f12a3bc8beebd9978c8a37f206c9b6a98deebc98dc208ff8afe5ac0a1f1e830da2688090c7c29c00829f6be4b3e606161c35b5a6c0c20a5f216b187e

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
305KB

MD5
ff3f950426200dc204b9f75a928b3fcd

SHA1
25bdb3542c46066bebb86856ddeb8258e2082d34

SHA256
cec74690e836fbd5e8ace416a69432fc9e2b5047f3e36b87a2b9f7152c9e06fb

SHA512
949f36f16b68673506127c085f179a6ce545ab2c202fd2cc225c76b21f76947998b1adc5b725f3532c1bb4f3a3ceb94b23d3ebf3fa4ac73863370d014907b020

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSc.exe

Filesize
88KB

MD5
ce3760626f7320dd45bf9a7a3708cb3f

SHA1
bc16fccd38226bcb269a0e8eaad3d9991b7013ae

SHA256
4a523ed4cc884a4d0a1f2a306ad9d7c0fb58a2bfb08cf8a3eb02ac78d129d6e3

SHA512
9bbadc74f492447aebd42c0a94f8c2d12fe056518f867dc00ed6262e93c886b3419b87985c3647b0eb7979a65c60f7096a6d2c77c4a5f9d56525bd0cc13e6d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp.bat

Filesize
152B

MD5
a94ba282c99775577eb67df38cd63142

SHA1
185c7e852d299e735a68a94fcb810b5fbf825771

SHA256
840473499781d87cc247855d1a6547c223f4b3a4519a77b0cc2ac1c38916192b

SHA512
64b1ecefa24393f76c8dae662434e2eff689d3024633aab7818a63e74a1cd73762670e1a4be4d90e0f6f2739d4fa4e255d9cddf69f40945f6e5489fb1dc9d670

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.js

Filesize
138KB

MD5
a16994a058b4c8dd3bbd6d09ad411f43

SHA1
d8b7a027f2d75b7c58f7b8528db6d658ac925b84

SHA256
3c93d99e841ed0390a73f57465fa5a5bdb77c5647eacbcb53ae35d1bcca3ab9d

SHA512
664bb8c9e06a13cf7a57972bb9159d27fb339badd8e71eb179d69da488af1ca56fba56ecef7b497c651d3b41a66d97edb77044728f7ea32845b48713c57fc3c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js

Filesize
64KB

MD5
eb75c819423eeb32b82dc95bf305b6b6

SHA1
7d3fee2d811a341358d52aa5e336a5b1f8d14271

SHA256
0e35c81e41a1ce3c92c9c21bcc5ce16bf64f16252d26119673da342d7e534bfc

SHA512
2a50c80b3bf38e6b62ab72367379f4071c5be3f32c7bfe4e0a0ccf9c33bd7911d32c611d65139b033b7cc373aaa73641517f5a220be1f4d990d9cb235f319fa2

Download Submit
memory/4468-33-0x0000000000020000-0x000000000003C000-memory.dmp

Filesize
112KB

Download
memory/4468-28-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/4468-27-0x0000000002F10000-0x0000000002F22000-memory.dmp

Filesize
72KB

Download
memory/5224-39-0x0000000003210000-0x0000000003222000-memory.dmp

Filesize
72KB

Download
memory/5224-43-0x00000000073E0000-0x0000000007984000-memory.dmp

Filesize
5.6MB

Download
memory/5224-44-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/5224-46-0x0000000000EE0000-0x0000000000EFC000-memory.dmp

Filesize
112KB

Download