wshrat | 74290592dacffc76566bd96f54da0d4a2cec1d6744f6c27ff5cbdff2eb13774a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-447890-25047AP.js
Size

7KB
MD5

9455be6935fef1fe046b9d6df6ac3cd9
SHA1

5b19631ecf6c5fd49c7de7d0b5e4a0c4d6f7962b
SHA256

74290592dacffc76566bd96f54da0d4a2cec1d6744f6c27ff5cbdff2eb13774a
SHA512

18af68e2ee48741c82c4ea7d8d2f7c5ff58e303d72cc27e9b8e63a8461354c9b54383010ab1084e7d42ae717f8d6f418cdb986bc931fe57f2b347c6cb193cb4f
SSDEEP

48:1VYfV46iVyq72+gPyryK+Gys8gP746+mq72+gPawormojZ+1ZAmojHSSfw9xVq7S:d

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	2872	wscript.exe
26	1900	wscript.exe
34	1900	wscript.exe
41	1900	wscript.exe
42	1900	wscript.exe
43	1900	wscript.exe
44	1820	wscript.exe
54	1900	wscript.exe
58	1820	wscript.exe
64	1900	wscript.exe
74	1820	wscript.exe
75	1900	wscript.exe
76	1820	wscript.exe
77	1900	wscript.exe
78	1820	wscript.exe
79	396	wscript.exe
80	1900	wscript.exe
81	1820	wscript.exe
82	396	wscript.exe
83	1900	wscript.exe
86	1820	wscript.exe
87	396	wscript.exe
94	1900	wscript.exe
95	1820	wscript.exe
96	396	wscript.exe
97	1900	wscript.exe
98	1820	wscript.exe
99	396	wscript.exe
100	5040	wscript.exe
101	1900	wscript.exe
102	1820	wscript.exe
103	396	wscript.exe
104	5040	wscript.exe
105	1900	wscript.exe
106	1820	wscript.exe
107	396	wscript.exe
108	5040	wscript.exe
109	1900	wscript.exe
110	1820	wscript.exe
111	396	wscript.exe
112	5040	wscript.exe
113	1900	wscript.exe
114	1820	wscript.exe
115	396	wscript.exe
116	5040	wscript.exe
117	5048	wscript.exe
118	1900	wscript.exe
119	1820	wscript.exe
122	396	wscript.exe
124	5040	wscript.exe
125	5048	wscript.exe
126	1900	wscript.exe
127	1820	wscript.exe
128	396	wscript.exe
129	5040	wscript.exe
130	5048	wscript.exe
131	1900	wscript.exe
132	1820	wscript.exe
133	396	wscript.exe
134	5040	wscript.exe
135	5048	wscript.exe
136	1900	wscript.exe
137	1820	wscript.exe
138	396	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Audiodg.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1636	orroctl.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orroctl.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	WScript.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	118	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	133	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	139	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	143	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	155	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	122	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	138	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	154	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	156	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	168	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	54	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	64	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	108	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	124	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	141	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	152	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	41	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	142	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	149	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	157	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	86	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	104	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	145	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	43	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	106	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	170	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	100	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	34	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	112	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	116	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	125	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	129	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	159	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	169	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	96	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	140	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	150	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|E28D2C71\|BMIVDHSR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 8/4/2025\|JavaScript

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2668	2872	wscript.exe	89
PID 2872 wrote to memory of 2668	2872	wscript.exe	89
PID 2668 wrote to memory of 2948	2668	WScript.exe	90
PID 2668 wrote to memory of 2948	2668	WScript.exe	90
PID 2668 wrote to memory of 4908	2668	WScript.exe	91
PID 2668 wrote to memory of 4908	2668	WScript.exe	91
PID 4908 wrote to memory of 1636	4908	WScript.exe	96
PID 4908 wrote to memory of 1636	4908	WScript.exe	96
PID 4908 wrote to memory of 1636	4908	WScript.exe	96
PID 2948 wrote to memory of 1900	2948	WScript.exe	97
PID 2948 wrote to memory of 1900	2948	WScript.exe	97
PID 3164 wrote to memory of 936	3164	cmd.exe	98
PID 3164 wrote to memory of 936	3164	cmd.exe	98
PID 2812 wrote to memory of 2684	2812	cmd.exe	99
PID 2812 wrote to memory of 2684	2812	cmd.exe	99
PID 3972 wrote to memory of 4320	3972	cmd.exe	112
PID 3972 wrote to memory of 4320	3972	cmd.exe	112
PID 4664 wrote to memory of 4488	4664	cmd.exe	114
PID 4664 wrote to memory of 4488	4664	cmd.exe	114
PID 4396 wrote to memory of 2372	4396	cmd.exe	115
PID 4396 wrote to memory of 2372	4396	cmd.exe	115
PID 2100 wrote to memory of 1676	2100	cmd.exe	116
PID 2100 wrote to memory of 1676	2100	cmd.exe	116
PID 4108 wrote to memory of 400	4108	cmd.exe	117
PID 4108 wrote to memory of 400	4108	cmd.exe	117
PID 4712 wrote to memory of 1728	4712	cmd.exe	118
PID 4712 wrote to memory of 1728	4712	cmd.exe	118
PID 4272 wrote to memory of 3952	4272	cmd.exe	129
PID 4272 wrote to memory of 3952	4272	cmd.exe	129
PID 1648 wrote to memory of 1504	1648	cmd.exe	130
PID 1648 wrote to memory of 1504	1648	cmd.exe	130
PID 936 wrote to memory of 2000	936	cmd.exe	137
PID 936 wrote to memory of 2000	936	cmd.exe	137
PID 4084 wrote to memory of 2304	4084	cmd.exe	138
PID 4084 wrote to memory of 2304	4084	cmd.exe	138
PID 2968 wrote to memory of 4568	2968	cmd.exe	143
PID 2968 wrote to memory of 4568	2968	cmd.exe	143
PID 4268 wrote to memory of 4912	4268	cmd.exe	144
PID 4268 wrote to memory of 4912	4268	cmd.exe	144
PID 2972 wrote to memory of 1820	2972	cmd.exe	149
PID 2972 wrote to memory of 1820	2972	cmd.exe	149
PID 4432 wrote to memory of 3848	4432	cmd.exe	150
PID 4432 wrote to memory of 3848	4432	cmd.exe	150
PID 2756 wrote to memory of 4020	2756	cmd.exe	163
PID 2756 wrote to memory of 4020	2756	cmd.exe	163
PID 2936 wrote to memory of 1936	2936	cmd.exe	165
PID 2936 wrote to memory of 1936	2936	cmd.exe	165
PID 1616 wrote to memory of 2512	1616	cmd.exe	164
PID 1616 wrote to memory of 2512	1616	cmd.exe	164
PID 4848 wrote to memory of 1684	4848	cmd.exe	166
PID 4848 wrote to memory of 1684	4848	cmd.exe	166
PID 1540 wrote to memory of 2064	1540	cmd.exe	167
PID 1540 wrote to memory of 2064	1540	cmd.exe	167
PID 2660 wrote to memory of 2752	2660	cmd.exe	168
PID 2660 wrote to memory of 2752	2660	cmd.exe	168
PID 5048 wrote to memory of 3636	5048	cmd.exe	174
PID 5048 wrote to memory of 3636	5048	cmd.exe	174
PID 448 wrote to memory of 4376	448	cmd.exe	175
PID 448 wrote to memory of 4376	448	cmd.exe	175
PID 2764 wrote to memory of 4404	2764	cmd.exe	180
PID 2764 wrote to memory of 4404	2764	cmd.exe	180
PID 3112 wrote to memory of 1896	3112	cmd.exe	181
PID 3112 wrote to memory of 1896	3112	cmd.exe	181
PID 316 wrote to memory of 4116	316	cmd.exe	189

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-447890-25047AP.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QQGABI.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Audiodg.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:1900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\orroctl.exe
      "C:\Users\Admin\AppData\Local\Temp\orroctl.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2684
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5028
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4248
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3164
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:316
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1788
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4828
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3796
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4340
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3188
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:448
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3124
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3508
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1928
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4640
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2428
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2400
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4296
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4408
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4328
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:348
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2924
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3128
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1716
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:5044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4248
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:216
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:4756
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:3440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:1240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
1⤵
PID:2976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\Audiodg.js"
  2⤵
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Audiodg.js

Filesize
283KB

MD5
8dffacf26da035dcda2a5e938e137968

SHA1
c1b032a717d49d6c35fe7281f41b398ed0ccd856

SHA256
a1544f7f62a1d82ed7f7034316a6989796ebc583b071ac7df7054fb1c1fc7261

SHA512
772c92dca2416002113bdf0862a1c1b0e3e7535219679072be0dc7ff2e244f1c9e771add5f216271529bd5a36faaf48e413381faa85d8ce342e086f295fe2c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQGABI.js

Filesize
569KB

MD5
58ad6ce83e888acdfd085c8cb3b7d2d6

SHA1
ea6411fb56d104ab5d716c5d16a9a7bbcfaef5ca

SHA256
dc7d0427f01e02a7752db8ac7aa6f77caf8dc83896b74b3cf6999fcba3288020

SHA512
68b216db2d3a6db40c026e8b69b8ae5fc276700d414bb34f6b2d905164fc0ade17cd2637ad34025c24954e9deb135c7e05fbae7f2a705e3f40d00ced051aa4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\orroctl.exe

Filesize
65KB

MD5
09456ee3f6fb995f38734e6360162e0e

SHA1
68a1aeb27fb77e4ce30d1f026d3226531824f214

SHA256
4c101eb54963c36718d716009dbb8a87e1d312f087f42c9db900327d791d24e5

SHA512
22fb0dab49f58f5d4934c33456a2c127b675989225e9c5fe054e3126d1ffcbc250fad26d816384281cbb199eae419982e7c43246a9e0b5505b90201e1a1a4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.js

Filesize
108KB

MD5
81e632eae9dbfdb1ced86b4654b5d6f4

SHA1
f8e1b936cc9cdb54c53293b3fd3707916087577f

SHA256
09d630cee9fae646c5df300bb4fd31ce7f4785cd81f2d5c6b85446ff4b3aa421

SHA512
d4e7f04c5e4fd48a8b85d351aa6d61358b271e6b22cb8f361b3eb2a2eaa36e69b4bdf654c44992b0af94e6bd3074fd930307bfe122ad1b02fe73923f395dc909

Download Submit
memory/1636-31-0x0000000000AB0000-0x0000000000AC7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads