wshrat | f917f31216deb0765e687fed60323e7b6a317002febb1e2b0b6999baff8690ba

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpp.js
Size

1.3MB
MD5

95643ad15dcfc79f7421c8ceef1db756
SHA1

238c841d72a2615900ab0f373a438d56e660bbf5
SHA256

f917f31216deb0765e687fed60323e7b6a317002febb1e2b0b6999baff8690ba
SHA512

77ae8f0823d32f6bf6221d3788130813603e16f84feba2019e836fd4a753478a8bd42a79ef2bdf329a5ef532eeec9f6d08924bf80d60e79efff4a0040ee68cb6
SSDEEP

12288:uuN4/UiN7GcJM7mJyoRW60PY2EV1w9m+MoJMsn6GlX:buRpbgmW1PYHreJMsn6U

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.myddns.rocks:7044

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
8	464	wscript.exe
31	464	wscript.exe
37	464	wscript.exe
38	464	wscript.exe
39	464	wscript.exe
40	1952	wscript.exe
46	464	wscript.exe
54	1952	wscript.exe
56	464	wscript.exe
57	1952	wscript.exe
68	464	wscript.exe
69	1952	wscript.exe
70	464	wscript.exe
71	1952	wscript.exe
72	4860	wscript.exe
73	464	wscript.exe
74	1952	wscript.exe
75	4860	wscript.exe
76	464	wscript.exe
77	1952	wscript.exe
78	4860	wscript.exe
81	464	wscript.exe
83	1952	wscript.exe
84	4860	wscript.exe
85	464	wscript.exe
86	1952	wscript.exe
87	4860	wscript.exe
88	5276	wscript.exe
89	464	wscript.exe
90	1952	wscript.exe
91	4860	wscript.exe
92	5276	wscript.exe
93	464	wscript.exe
94	1952	wscript.exe
95	4860	wscript.exe
96	5276	wscript.exe
97	464	wscript.exe
98	1952	wscript.exe
99	4860	wscript.exe
100	5276	wscript.exe
106	464	wscript.exe
107	1952	wscript.exe
108	4860	wscript.exe
109	5276	wscript.exe
110	208	wscript.exe
111	464	wscript.exe
112	1952	wscript.exe
113	4860	wscript.exe
114	5276	wscript.exe
115	208	wscript.exe
119	464	wscript.exe
120	1952	wscript.exe
121	4860	wscript.exe
122	5276	wscript.exe
123	208	wscript.exe
124	464	wscript.exe
125	1952	wscript.exe
126	4860	wscript.exe
127	5276	wscript.exe
128	208	wscript.exe
129	464	wscript.exe
130	1952	wscript.exe
131	4860	wscript.exe
132	5276	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 16 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3896	xDd.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg.exe = "C:\\Users\\Admin\\Audio\\Windows Audio.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xDd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4100	cmd.exe
5496	PING.EXE
2156	cmd.exe
5376	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wscript.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5376	PING.EXE
5496	PING.EXE

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	73	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	88	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	112	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	113	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	54	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	96	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	108	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	143	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	167	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	81	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	38	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	111	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	131	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	125	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	133	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	160	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	137	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	144	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	150	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	152	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	156	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	161	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	165	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	68	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	130	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	145	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	126	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	129	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	158	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	162	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	31	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	71	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	132	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	151	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	163	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	106	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	109	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	146	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	153	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	37	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	39	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	84	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	157	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	164	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	87	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	136	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	140	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe
3896	xDd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	xDd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5200 wrote to memory of 3668	5200	wscript.exe	86
PID 5200 wrote to memory of 3668	5200	wscript.exe	86
PID 5200 wrote to memory of 1692	5200	wscript.exe	87
PID 5200 wrote to memory of 1692	5200	wscript.exe	87
PID 3668 wrote to memory of 464	3668	WScript.exe	92
PID 3668 wrote to memory of 464	3668	WScript.exe	92
PID 4760 wrote to memory of 5560	4760	cmd.exe	93
PID 4760 wrote to memory of 5560	4760	cmd.exe	93
PID 1692 wrote to memory of 3896	1692	WScript.exe	94
PID 1692 wrote to memory of 3896	1692	WScript.exe	94
PID 1692 wrote to memory of 3896	1692	WScript.exe	94
PID 2980 wrote to memory of 5984	2980	cmd.exe	95
PID 2980 wrote to memory of 5984	2980	cmd.exe	95
PID 1172 wrote to memory of 4800	1172	cmd.exe	112
PID 1172 wrote to memory of 4800	1172	cmd.exe	112
PID 5632 wrote to memory of 2060	5632	cmd.exe	111
PID 5632 wrote to memory of 2060	5632	cmd.exe	111
PID 4616 wrote to memory of 2304	4616	cmd.exe	110
PID 4616 wrote to memory of 2304	4616	cmd.exe	110
PID 4580 wrote to memory of 4260	4580	cmd.exe	109
PID 4580 wrote to memory of 4260	4580	cmd.exe	109
PID 4664 wrote to memory of 4852	4664	cmd.exe	113
PID 4664 wrote to memory of 4852	4664	cmd.exe	113
PID 4660 wrote to memory of 6112	4660	cmd.exe	114
PID 4660 wrote to memory of 6112	4660	cmd.exe	114
PID 4456 wrote to memory of 1156	4456	cmd.exe	128
PID 4456 wrote to memory of 1156	4456	cmd.exe	128
PID 4496 wrote to memory of 5272	4496	cmd.exe	129
PID 4496 wrote to memory of 5272	4496	cmd.exe	129
PID 2184 wrote to memory of 2984	2184	cmd.exe	137
PID 2184 wrote to memory of 2984	2184	cmd.exe	137
PID 1092 wrote to memory of 1868	1092	cmd.exe	138
PID 1092 wrote to memory of 1868	1092	cmd.exe	138
PID 3896 wrote to memory of 2156	3896	xDd.exe	139
PID 3896 wrote to memory of 2156	3896	xDd.exe	139
PID 3896 wrote to memory of 2156	3896	xDd.exe	139
PID 2156 wrote to memory of 5376	2156	cmd.exe	141
PID 2156 wrote to memory of 5376	2156	cmd.exe	141
PID 2156 wrote to memory of 5376	2156	cmd.exe	141
PID 5976 wrote to memory of 5780	5976	cmd.exe	146
PID 5976 wrote to memory of 5780	5976	cmd.exe	146
PID 4044 wrote to memory of 4432	4044	cmd.exe	147
PID 4044 wrote to memory of 4432	4044	cmd.exe	147
PID 4552 wrote to memory of 1952	4552	cmd.exe	152
PID 4552 wrote to memory of 1952	4552	cmd.exe	152
PID 5664 wrote to memory of 2444	5664	cmd.exe	153
PID 5664 wrote to memory of 2444	5664	cmd.exe	153
PID 4312 wrote to memory of 4804	4312	cmd.exe	166
PID 4312 wrote to memory of 4804	4312	cmd.exe	166
PID 1556 wrote to memory of 2304	1556	cmd.exe	167
PID 1556 wrote to memory of 2304	1556	cmd.exe	167
PID 5096 wrote to memory of 4824	5096	cmd.exe	168
PID 5096 wrote to memory of 4824	5096	cmd.exe	168
PID 2544 wrote to memory of 4072	2544	cmd.exe	169
PID 2544 wrote to memory of 4072	2544	cmd.exe	169
PID 2460 wrote to memory of 744	2460	cmd.exe	170
PID 2460 wrote to memory of 744	2460	cmd.exe	170
PID 4704 wrote to memory of 4528	4704	cmd.exe	171
PID 4704 wrote to memory of 4528	4704	cmd.exe	171
PID 4580 wrote to memory of 4668	4580	cmd.exe	177
PID 4580 wrote to memory of 4668	4580	cmd.exe	177
PID 4780 wrote to memory of 4884	4780	cmd.exe	178
PID 4780 wrote to memory of 4884	4780	cmd.exe	178
PID 5344 wrote to memory of 3732	5344	cmd.exe	183

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\wpp.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:464
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\browser.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\xDd.exe
    "C:\Users\Admin\AppData\Local\Temp\xDd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 69 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\Admin\Audio\Windows Audio.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 69
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5376
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\Admin\Audio\Windows Audio.exe"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3192
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 77 > nul && copy "C:\Users\Admin\AppData\Local\Temp\xDd.exe" "C:\Users\Admin\Audio\Windows Audio.exe" && ping 127.0.0.1 -n 77 > nul && "C:\Users\Admin\Audio\Windows Audio.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4100
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 77
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4772
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1332
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4684
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4848
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:828
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2692
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2148
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6028
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4472
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:316
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4524
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6080
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3196
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Audio\Windows Audio.exe
1⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5508
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4192
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5200
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4828
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4316
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5148
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1724
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2156
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2768
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5900
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5236
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3168
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4612
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2580
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:744
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5148
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4752
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3736
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:996
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2288
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:624
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3464
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:6112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1532
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2336
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4200
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4540
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1476
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:2776
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:4076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:3632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:5728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:1048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
1⤵
PID:728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
  2⤵
  PID:1528

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\audiodg.js

Filesize
305KB

MD5
502acc61f92b1e25e8559c7dc8fc0541

SHA1
aa28abe01e2ed78dc976210b72cc1d2596baa77c

SHA256
64cc9dc7163fabfb3a5126bf810241d988d815053cb758a92fa1f5a08c94ac3c

SHA512
72cce344e7b8461abb146d3ec426cd182f84557aa800b3bfc3b74a220285bb6528d14f169e1fc37af733b9d42fdf71ff2f657df17733316b45881d1ed356fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\browser.js

Filesize
675KB

MD5
4ed4f9b8516ae94a6142c28215385f95

SHA1
49bae557a22c7a4cd3293e5d128bb3301d60d9a7

SHA256
18d4022eb089b4536cea560bffe5192d24a2e69ccec7e47fb7b9daa60c6cee8c

SHA512
4e334bd71682f858afa33e3c2fbd76e6135f76cd68a051453aa3a1b48ebbaaf07eef0a18bd347a3e3d11b2c8c41e4302663c0c7d0c863a2c6f12ea755c6286a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDd.exe

Filesize
490KB

MD5
251e3b895fbe3caa03a12a06ceb7fc2f

SHA1
91646a35df91b6a6d9312cf3474952ba8fbc47f6

SHA256
7953bd08347c21b723913ef2d8a33f432d02c6e20ebae0c0becf9a920475105f

SHA512
01e988fe666a2f4222cf9bd71f3e4b40f4ba544ab54f1fd3c817c1fc6c0f25929d3dae7c4af99a753b35dbd3957c4a3b6e1403fcff3f6f73d20c93d6e5cb964a

Download Submit
memory/3896-27-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/3896-28-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/3896-29-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/3896-30-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/3896-34-0x00000000055D0000-0x00000000055F6000-memory.dmp

Filesize
152KB

Download
memory/3896-35-0x0000000007230000-0x000000000723A000-memory.dmp

Filesize
40KB

Download