asyncrat | 60667b8d0b8ed46c3b023dfec70fad2f24cb4bdd15060db90e6176e67ca09c76

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-018654-002504.js
Size

6KB
MD5

7352df5a14aecba54ac07136a27f96e6
SHA1

44a686b3acdeae3d0c704d8dc2618d31029c2fee
SHA256

60667b8d0b8ed46c3b023dfec70fad2f24cb4bdd15060db90e6176e67ca09c76
SHA512

4b89b36c30d5f3d0482300d5726d7eea8a283a930f2e959f9b15d37a04ba69a96ab9038da6159014b312e32f3d9cf8556369542efc16b72e7cb1b59feb60587b
SSDEEP

96:wxjwyH4VwotBhKk5a7wof1AwwyHkps6iAaqg3BBi7o2XqwyH5RTuptSupKqupcak:1o9XUGPIYGiU8gh

Score

10^/10

asyncrat wshrat default discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

lee44.kozow.com:4869

lee44.kozow.com:50472

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
audiondg.exe
install_folder
%AppData%

aes.plain

Extracted

Family

wshrat

http://lee44.kozow.com:6892

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/4748-27-0x0000000002910000-0x0000000002922000-memory.dmp	family_asyncrat
behavioral1/memory/904-39-0x0000000005AF0000-0x0000000005B02000-memory.dmp	family_asyncrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	1592	wscript.exe
29	4644	wscript.exe
31	4644	wscript.exe
39	4644	wscript.exe
40	4644	wscript.exe
41	4644	wscript.exe
42	5768	wscript.exe
43	4644	wscript.exe
46	5768	wscript.exe
58	4644	wscript.exe
59	5768	wscript.exe
72	4644	wscript.exe
73	5768	wscript.exe
74	4644	wscript.exe
75	5768	wscript.exe
76	4204	wscript.exe
77	4644	wscript.exe
78	5768	wscript.exe
79	4204	wscript.exe
80	4644	wscript.exe
81	5768	wscript.exe
82	4204	wscript.exe
85	4644	wscript.exe
90	5768	wscript.exe
92	4204	wscript.exe
93	4644	wscript.exe
94	5768	wscript.exe
95	4204	wscript.exe
96	5312	wscript.exe
97	4644	wscript.exe
98	5768	wscript.exe
99	4204	wscript.exe
100	5312	wscript.exe
101	4644	wscript.exe
102	5768	wscript.exe
103	4204	wscript.exe
104	5312	wscript.exe
105	4644	wscript.exe
106	5768	wscript.exe
107	4204	wscript.exe
108	5312	wscript.exe
109	4644	wscript.exe
110	5768	wscript.exe
111	4204	wscript.exe
112	5312	wscript.exe
113	4504	wscript.exe
114	4644	wscript.exe
115	5768	wscript.exe
116	4204	wscript.exe
117	5312	wscript.exe
118	4504	wscript.exe
119	4644	wscript.exe
120	5768	wscript.exe
121	4204	wscript.exe
124	5312	wscript.exe
126	4644	wscript.exe
127	5768	wscript.exe
128	4204	wscript.exe
129	4504	wscript.exe
130	5312	wscript.exe
131	4644	wscript.exe
132	5768	wscript.exe
133	4204	wscript.exe
134	4504	wscript.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	hSc.exe

Drops startup file 14 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4748	hSc.exe
904	audiondg.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiondg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hSc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3608	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5864	schtasks.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	81	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	124	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	169	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	153	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	168	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	172	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	31	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	116	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	117	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	134	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	142	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	59	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	80	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	136	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	147	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	167	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	179	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	140	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	145	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	173	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	177	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	40	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	126	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	141	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	79	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	139	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	39	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	85	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	143	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	144	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	160	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	170	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	176	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 4/4/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe
4748	hSc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	hSc.exe
Token: SeDebugPrivilege	904	audiondg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1232	1592	wscript.exe	88
PID 1592 wrote to memory of 1232	1592	wscript.exe	88
PID 1232 wrote to memory of 4544	1232	WScript.exe	89
PID 1232 wrote to memory of 4544	1232	WScript.exe	89
PID 1232 wrote to memory of 4504	1232	WScript.exe	90
PID 1232 wrote to memory of 4504	1232	WScript.exe	90
PID 4544 wrote to memory of 4644	4544	WScript.exe	95
PID 4544 wrote to memory of 4644	4544	WScript.exe	95
PID 4504 wrote to memory of 4748	4504	WScript.exe	96
PID 4504 wrote to memory of 4748	4504	WScript.exe	96
PID 4504 wrote to memory of 4748	4504	WScript.exe	96
PID 4792 wrote to memory of 2464	4792	cmd.exe	105
PID 4792 wrote to memory of 2464	4792	cmd.exe	105
PID 4532 wrote to memory of 5200	4532	cmd.exe	106
PID 4532 wrote to memory of 5200	4532	cmd.exe	106
PID 3108 wrote to memory of 4600	3108	cmd.exe	107
PID 3108 wrote to memory of 4600	3108	cmd.exe	107
PID 5872 wrote to memory of 516	5872	cmd.exe	109
PID 5872 wrote to memory of 516	5872	cmd.exe	109
PID 1580 wrote to memory of 2136	1580	cmd.exe	110
PID 1580 wrote to memory of 2136	1580	cmd.exe	110
PID 1748 wrote to memory of 3416	1748	cmd.exe	111
PID 1748 wrote to memory of 3416	1748	cmd.exe	111
PID 4748 wrote to memory of 2600	4748	hSc.exe	115
PID 4748 wrote to memory of 2600	4748	hSc.exe	115
PID 4748 wrote to memory of 2600	4748	hSc.exe	115
PID 4748 wrote to memory of 5380	4748	hSc.exe	117
PID 4748 wrote to memory of 5380	4748	hSc.exe	117
PID 4748 wrote to memory of 5380	4748	hSc.exe	117
PID 5380 wrote to memory of 3608	5380	cmd.exe	119
PID 5380 wrote to memory of 3608	5380	cmd.exe	119
PID 5380 wrote to memory of 3608	5380	cmd.exe	119
PID 2600 wrote to memory of 5864	2600	cmd.exe	120
PID 2600 wrote to memory of 5864	2600	cmd.exe	120
PID 2600 wrote to memory of 5864	2600	cmd.exe	120
PID 4080 wrote to memory of 3644	4080	cmd.exe	126
PID 4080 wrote to memory of 3644	4080	cmd.exe	126
PID 5436 wrote to memory of 3552	5436	cmd.exe	127
PID 5436 wrote to memory of 3552	5436	cmd.exe	127
PID 5380 wrote to memory of 904	5380	cmd.exe	128
PID 5380 wrote to memory of 904	5380	cmd.exe	128
PID 5380 wrote to memory of 904	5380	cmd.exe	128
PID 1328 wrote to memory of 5328	1328	cmd.exe	135
PID 1328 wrote to memory of 5328	1328	cmd.exe	135
PID 2016 wrote to memory of 5760	2016	cmd.exe	136
PID 2016 wrote to memory of 5760	2016	cmd.exe	136
PID 6008 wrote to memory of 5272	6008	cmd.exe	141
PID 6008 wrote to memory of 5272	6008	cmd.exe	141
PID 2656 wrote to memory of 1180	2656	cmd.exe	142
PID 2656 wrote to memory of 1180	2656	cmd.exe	142
PID 2912 wrote to memory of 5768	2912	cmd.exe	147
PID 2912 wrote to memory of 5768	2912	cmd.exe	147
PID 1720 wrote to memory of 5876	1720	cmd.exe	148
PID 1720 wrote to memory of 5876	1720	cmd.exe	148
PID 1012 wrote to memory of 4560	1012	cmd.exe	161
PID 1012 wrote to memory of 4560	1012	cmd.exe	161
PID 3780 wrote to memory of 4712	3780	cmd.exe	162
PID 3780 wrote to memory of 4712	3780	cmd.exe	162
PID 5688 wrote to memory of 4584	5688	cmd.exe	163
PID 5688 wrote to memory of 4584	5688	cmd.exe	163
PID 1592 wrote to memory of 5984	1592	cmd.exe	164
PID 1592 wrote to memory of 5984	1592	cmd.exe	164
PID 4516 wrote to memory of 5000	4516	cmd.exe	165
PID 4516 wrote to memory of 5000	4516	cmd.exe	165

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-018654-002504.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SFLYUC.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:4644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\hSc.exe
      "C:\Users\Admin\AppData\Local\Temp\hSc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audiondg" /tr '"C:\Users\Admin\AppData\Roaming\audiondg.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "audiondg" /tr '"C:\Users\Admin\AppData\Roaming\audiondg.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp77EF.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5380
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3608
      - C:\Users\Admin\AppData\Roaming\audiondg.exe
        
        "C:\Users\Admin\AppData\Roaming\audiondg.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1268
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5776
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1380
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4672
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2828
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4716
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1328
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4364
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2832
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3520
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5776
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4816
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3392
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2800
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4364
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:816
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:1452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3472
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:6112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:3664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:5792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:4492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:2424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
1⤵
PID:872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\adobe.js"
  2⤵
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SFLYUC.js

Filesize
638KB

MD5
bd23f21674639eea532fc311b8f87168

SHA1
522a842c7189a8d9f890c9999a8efaa6ab21301b

SHA256
791ffa07e016eec3dd14fd160f6833f147c6b8a835fdf2154bbfa29da405bc2a

SHA512
60546662f12a3bc8beebd9978c8a37f206c9b6a98deebc98dc208ff8afe5ac0a1f1e830da2688090c7c29c00829f6be4b3e606161c35b5a6c0c20a5f216b187e

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
305KB

MD5
ff3f950426200dc204b9f75a928b3fcd

SHA1
25bdb3542c46066bebb86856ddeb8258e2082d34

SHA256
cec74690e836fbd5e8ace416a69432fc9e2b5047f3e36b87a2b9f7152c9e06fb

SHA512
949f36f16b68673506127c085f179a6ce545ab2c202fd2cc225c76b21f76947998b1adc5b725f3532c1bb4f3a3ceb94b23d3ebf3fa4ac73863370d014907b020

Download Submit
C:\Users\Admin\AppData\Local\Temp\hSc.exe

Filesize
88KB

MD5
ce3760626f7320dd45bf9a7a3708cb3f

SHA1
bc16fccd38226bcb269a0e8eaad3d9991b7013ae

SHA256
4a523ed4cc884a4d0a1f2a306ad9d7c0fb58a2bfb08cf8a3eb02ac78d129d6e3

SHA512
9bbadc74f492447aebd42c0a94f8c2d12fe056518f867dc00ed6262e93c886b3419b87985c3647b0eb7979a65c60f7096a6d2c77c4a5f9d56525bd0cc13e6d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77EF.tmp.bat

Filesize
152B

MD5
355131e312fb5a2571e65d1c3e955a5f

SHA1
940eefb7fdb95dbee5c1ee8be2cd654c25cccc38

SHA256
c37425edfcd6df043c50a6bd0f68f667423d0255d27a25c6c40f4fb9a09490ce

SHA512
81d0e252619cbde5c9bae6614da307c3cceee3db6e47a98865e8f07b46761b33d8220f2c2099ea8c7fa3ab54ea953b2a86931673a1ecc49fa8f03bd85ed93fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.js

Filesize
138KB

MD5
a16994a058b4c8dd3bbd6d09ad411f43

SHA1
d8b7a027f2d75b7c58f7b8528db6d658ac925b84

SHA256
3c93d99e841ed0390a73f57465fa5a5bdb77c5647eacbcb53ae35d1bcca3ab9d

SHA512
664bb8c9e06a13cf7a57972bb9159d27fb339badd8e71eb179d69da488af1ca56fba56ecef7b497c651d3b41a66d97edb77044728f7ea32845b48713c57fc3c9

Download Submit
memory/904-39-0x0000000005AF0000-0x0000000005B02000-memory.dmp

Filesize
72KB

Download
memory/904-42-0x00000000073F0000-0x0000000007994000-memory.dmp

Filesize
5.6MB

Download
memory/904-43-0x0000000006ED0000-0x0000000006F36000-memory.dmp

Filesize
408KB

Download
memory/904-46-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/4748-33-0x0000000000910000-0x000000000092C000-memory.dmp

Filesize
112KB

Download
memory/4748-28-0x00000000052E0000-0x000000000537C000-memory.dmp

Filesize
624KB

Download
memory/4748-27-0x0000000002910000-0x0000000002922000-memory.dmp

Filesize
72KB

Download