wshrat | 8d06f8c4a583736bb005216551a0e9a146d50afe8bdf0cf2ab1e37aceb98c4bf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpx.js
Size

2.2MB
MD5

28af750ae3556c5bd1a8cb2f56354bdc
SHA1

385e0e12420d06df609f36a1d2dac81ab6b29d41
SHA256

8d06f8c4a583736bb005216551a0e9a146d50afe8bdf0cf2ab1e37aceb98c4bf
SHA512

2be8200fbceca44b7266f53aec5a81c68bd5b831c2b4318223c2428f899d5c48942305dccd77ebf6c6b4ed6c8cdc0bd7e0d3e16f1bf1f09365e5f42151fc45f3
SSDEEP

6144:fUuJ2eTyeu3UuSuTCFq0WX6uiuEvlZYaZH7CNLZn9BZpZn95999QZG9JsNTN7Zda:g7tB3

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
10	3480	wscript.exe
29	3480	wscript.exe
35	3480	wscript.exe
36	3480	wscript.exe
37	3480	wscript.exe
38	800	wscript.exe
41	3480	wscript.exe
47	800	wscript.exe
53	3480	wscript.exe
58	800	wscript.exe
67	3480	wscript.exe
68	800	wscript.exe
69	3480	wscript.exe
70	800	wscript.exe
71	3764	wscript.exe
72	3480	wscript.exe
73	800	wscript.exe
74	3764	wscript.exe
75	3480	wscript.exe
76	800	wscript.exe
77	3764	wscript.exe
82	3480	wscript.exe
83	800	wscript.exe
84	3764	wscript.exe
85	3480	wscript.exe
86	800	wscript.exe
87	3764	wscript.exe
88	976	wscript.exe
89	3480	wscript.exe
90	800	wscript.exe
91	3764	wscript.exe
92	976	wscript.exe
93	3480	wscript.exe
94	800	wscript.exe
95	3764	wscript.exe
96	976	wscript.exe
97	3480	wscript.exe
98	800	wscript.exe
99	3764	wscript.exe
100	976	wscript.exe
107	3480	wscript.exe
108	800	wscript.exe
109	3764	wscript.exe
110	976	wscript.exe
111	3488	wscript.exe
112	3480	wscript.exe
113	800	wscript.exe
114	3764	wscript.exe
115	976	wscript.exe
116	3488	wscript.exe
119	3480	wscript.exe
120	800	wscript.exe
121	3764	wscript.exe
122	976	wscript.exe
123	3488	wscript.exe
124	3480	wscript.exe
125	800	wscript.exe
126	3764	wscript.exe
127	976	wscript.exe
128	3488	wscript.exe
129	3480	wscript.exe
130	800	wscript.exe
131	3764	wscript.exe
132	976	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	orroctl.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orroctl.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	wscript.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	67	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	124	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	53	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	95	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	148	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	156	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	164	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	166	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	47	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	71	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	163	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	35	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	160	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	147	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	113	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	68	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	112	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	141	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	134	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	150	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	154	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	109	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	140	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	100	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	133	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	165	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	86	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	38	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	92	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	119	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	139	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	87	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	142	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	144	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 5076	1828	wscript.exe	86
PID 1828 wrote to memory of 5076	1828	wscript.exe	86
PID 1828 wrote to memory of 5024	1828	wscript.exe	87
PID 1828 wrote to memory of 5024	1828	wscript.exe	87
PID 5076 wrote to memory of 3480	5076	WScript.exe	92
PID 5076 wrote to memory of 3480	5076	WScript.exe	92
PID 5024 wrote to memory of 4516	5024	WScript.exe	93
PID 5024 wrote to memory of 4516	5024	WScript.exe	93
PID 5024 wrote to memory of 4516	5024	WScript.exe	93
PID 2904 wrote to memory of 3180	2904	cmd.exe	94
PID 2904 wrote to memory of 3180	2904	cmd.exe	94
PID 4016 wrote to memory of 4432	4016	cmd.exe	103
PID 4016 wrote to memory of 4432	4016	cmd.exe	103
PID 2560 wrote to memory of 4240	2560	cmd.exe	104
PID 2560 wrote to memory of 4240	2560	cmd.exe	104
PID 884 wrote to memory of 2672	884	cmd.exe	106
PID 884 wrote to memory of 2672	884	cmd.exe	106
PID 2752 wrote to memory of 748	2752	cmd.exe	107
PID 2752 wrote to memory of 748	2752	cmd.exe	107
PID 4616 wrote to memory of 3484	4616	cmd.exe	108
PID 4616 wrote to memory of 3484	4616	cmd.exe	108
PID 2536 wrote to memory of 5024	2536	cmd.exe	123
PID 2536 wrote to memory of 5024	2536	cmd.exe	123
PID 1668 wrote to memory of 1448	1668	cmd.exe	124
PID 1668 wrote to memory of 1448	1668	cmd.exe	124
PID 1084 wrote to memory of 2560	1084	cmd.exe	131
PID 1084 wrote to memory of 2560	1084	cmd.exe	131
PID 4676 wrote to memory of 4568	4676	cmd.exe	132
PID 4676 wrote to memory of 4568	4676	cmd.exe	132
PID 2400 wrote to memory of 2344	2400	cmd.exe	138
PID 2400 wrote to memory of 2344	2400	cmd.exe	138
PID 1008 wrote to memory of 2764	1008	cmd.exe	137
PID 1008 wrote to memory of 2764	1008	cmd.exe	137
PID 5004 wrote to memory of 4640	5004	cmd.exe	143
PID 5004 wrote to memory of 4640	5004	cmd.exe	143
PID 1088 wrote to memory of 800	1088	cmd.exe	144
PID 1088 wrote to memory of 800	1088	cmd.exe	144
PID 5064 wrote to memory of 5044	5064	cmd.exe	157
PID 5064 wrote to memory of 5044	5064	cmd.exe	157
PID 4596 wrote to memory of 2832	4596	cmd.exe	158
PID 4596 wrote to memory of 2832	4596	cmd.exe	158
PID 3264 wrote to memory of 2192	3264	cmd.exe	159
PID 3264 wrote to memory of 2192	3264	cmd.exe	159
PID 5100 wrote to memory of 3720	5100	cmd.exe	160
PID 5100 wrote to memory of 3720	5100	cmd.exe	160
PID 4388 wrote to memory of 3140	4388	cmd.exe	162
PID 4388 wrote to memory of 3140	4388	cmd.exe	162
PID 3884 wrote to memory of 3120	3884	cmd.exe	161
PID 3884 wrote to memory of 3120	3884	cmd.exe	161
PID 4656 wrote to memory of 4060	4656	cmd.exe	168
PID 4656 wrote to memory of 4060	4656	cmd.exe	168
PID 556 wrote to memory of 3732	556	cmd.exe	169
PID 556 wrote to memory of 3732	556	cmd.exe	169
PID 2560 wrote to memory of 4240	2560	cmd.exe	174
PID 2560 wrote to memory of 4240	2560	cmd.exe	174
PID 1172 wrote to memory of 1240	1172	cmd.exe	175
PID 1172 wrote to memory of 1240	1172	cmd.exe	175
PID 3532 wrote to memory of 2848	3532	cmd.exe	182
PID 3532 wrote to memory of 2848	3532	cmd.exe	182
PID 4616 wrote to memory of 224	4616	cmd.exe	183
PID 4616 wrote to memory of 224	4616	cmd.exe	183
PID 3720 wrote to memory of 2636	3720	cmd.exe	188
PID 3720 wrote to memory of 2636	3720	cmd.exe	188
PID 4208 wrote to memory of 1940	4208	cmd.exe	189

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\wpx.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Audiodg.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:3480
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\orroctl.exe
    "C:\Users\Admin\AppData\Local\Temp\orroctl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:32
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1600
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4640
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4432
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2772
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2232
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4196
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2280
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3324
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2600
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3296
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2280
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2156
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3296
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:8
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3828
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4832
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:380
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4348
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2524
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3000
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1548
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3364
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2524
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2208
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3372
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3324
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2120
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:60
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2504
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2524
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2772
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:32
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5000
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3432
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4856
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4348
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Audiodg.js

Filesize
283KB

MD5
8dffacf26da035dcda2a5e938e137968

SHA1
c1b032a717d49d6c35fe7281f41b398ed0ccd856

SHA256
a1544f7f62a1d82ed7f7034316a6989796ebc583b071ac7df7054fb1c1fc7261

SHA512
772c92dca2416002113bdf0862a1c1b0e3e7535219679072be0dc7ff2e244f1c9e771add5f216271529bd5a36faaf48e413381faa85d8ce342e086f295fe2c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\orroctl.exe

Filesize
65KB

MD5
09456ee3f6fb995f38734e6360162e0e

SHA1
68a1aeb27fb77e4ce30d1f026d3226531824f214

SHA256
4c101eb54963c36718d716009dbb8a87e1d312f087f42c9db900327d791d24e5

SHA512
22fb0dab49f58f5d4934c33456a2c127b675989225e9c5fe054e3126d1ffcbc250fad26d816384281cbb199eae419982e7c43246a9e0b5505b90201e1a1a4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.js

Filesize
1.4MB

MD5
8e2c824c97c89cc362f6cf5b4a82e09f

SHA1
2ca5048a8aa834293b7267afa36e6ee2e27d1e52

SHA256
feb948f1a41ff1097b21ac099f4d204bd03e3d75d13f7eef28bc546b85ffc928

SHA512
7d78841084a8ab6ff9ae1c13c0f84f78de5a35bf5751f931247e2f9bfc024a3b176e267de4b67f6f967c6d7cdbe90d30100cdb63b85eecb99caea8eccc09beba

Download Submit
memory/4516-23-0x00000000001B0000-0x00000000001C7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads