wshrat | 7f38be2593e003aaac7adcd4ee19587d85f62b32821cad87ca784f5abf1269e6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mghc.js
Size

1.5MB
MD5

d988a34cdd969239c90ce929f2790bfd
SHA1

4564094c75a164819446681e048259b137bf2330
SHA256

7f38be2593e003aaac7adcd4ee19587d85f62b32821cad87ca784f5abf1269e6
SHA512

d2274ccc82e96a74b71ff464f87d3118032e7e70e32ed4c527261e44daf71a250af3d624a4fdf2a505f2f3b826a18523e2b68d53368a44ee2b6e547a0d99a004
SSDEEP

24576:k4k3obSkRF2IWZO1OFnRgEUnB23Zx00aDLXM:qobrNsE0D

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://lee44.kozow.com:6892

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
2	5848	WScript.exe
19	5848	WScript.exe
20	5848	WScript.exe
21	5848	WScript.exe
22	5848	WScript.exe
23	1188	wscript.exe
24	5848	WScript.exe
25	1188	wscript.exe
26	5848	WScript.exe
27	1188	wscript.exe
28	5848	WScript.exe
29	1188	wscript.exe
30	5848	WScript.exe
31	1188	wscript.exe
32	5052	wscript.exe
33	5848	WScript.exe
34	1188	wscript.exe
35	5052	wscript.exe
41	1188	wscript.exe
42	5848	WScript.exe
43	5052	wscript.exe
44	5848	WScript.exe
45	1188	wscript.exe
46	5052	wscript.exe
47	1188	wscript.exe
48	5848	WScript.exe
49	5052	wscript.exe
50	4020	wscript.exe
51	1188	wscript.exe
52	5848	WScript.exe
53	5052	wscript.exe
54	4020	wscript.exe
55	1188	wscript.exe
56	5848	WScript.exe
57	5052	wscript.exe
58	4020	wscript.exe
59	1188	wscript.exe
60	5848	WScript.exe
61	5052	wscript.exe
64	4020	wscript.exe
66	1188	wscript.exe
67	5848	WScript.exe
68	5052	wscript.exe
69	4020	wscript.exe
70	4368	wscript.exe
71	1188	wscript.exe
72	5848	WScript.exe
73	5052	wscript.exe
74	4020	wscript.exe
75	4368	wscript.exe
76	1188	wscript.exe
77	5848	WScript.exe
78	5052	wscript.exe
79	4020	wscript.exe
80	1188	wscript.exe
81	4368	wscript.exe
82	5848	WScript.exe
83	5052	wscript.exe
84	4020	wscript.exe
85	1188	wscript.exe
86	4368	wscript.exe
87	5848	WScript.exe
88	5052	wscript.exe
89	4020	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 17 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.lnk	MDI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4716	MDI.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rscvs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rscvs.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
912	cmd.exe
556	PING.EXE
5632	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings	wscript.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
556	PING.EXE
5632	PING.EXE

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	27	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	31	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	87	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	30	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	95	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	101	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	108	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	21	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	64	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	85	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	61	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	81	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	105	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	28	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	44	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	45	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	59	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	100	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	104	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	77	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	26	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	49	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	86	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	48	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	32	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	51	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	54	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	22	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	23	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	66	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	67	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	79	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	53	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	82	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	96	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	102	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	35	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	56	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	68	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	83	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	52	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript
HTTP User-Agent header	55	WSHRAT\|3C830423\|JZJZFYBX\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 11/4/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe
4716	MDI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	MDI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 5848	2960	wscript.exe	82
PID 2960 wrote to memory of 5848	2960	wscript.exe	82
PID 2960 wrote to memory of 4004	2960	wscript.exe	83
PID 2960 wrote to memory of 4004	2960	wscript.exe	83
PID 4004 wrote to memory of 4716	4004	WScript.exe	92
PID 4004 wrote to memory of 4716	4004	WScript.exe	92
PID 4004 wrote to memory of 4716	4004	WScript.exe	92
PID 3560 wrote to memory of 2300	3560	cmd.exe	94
PID 3560 wrote to memory of 2300	3560	cmd.exe	94
PID 1020 wrote to memory of 5312	1020	cmd.exe	95
PID 1020 wrote to memory of 5312	1020	cmd.exe	95
PID 4108 wrote to memory of 3516	4108	cmd.exe	96
PID 4108 wrote to memory of 3516	4108	cmd.exe	96
PID 5112 wrote to memory of 5924	5112	cmd.exe	97
PID 5112 wrote to memory of 5924	5112	cmd.exe	97
PID 6100 wrote to memory of 3052	6100	cmd.exe	106
PID 6100 wrote to memory of 3052	6100	cmd.exe	106
PID 344 wrote to memory of 6132	344	cmd.exe	107
PID 344 wrote to memory of 6132	344	cmd.exe	107
PID 2188 wrote to memory of 6056	2188	cmd.exe	112
PID 2188 wrote to memory of 6056	2188	cmd.exe	112
PID 3804 wrote to memory of 4464	3804	cmd.exe	113
PID 3804 wrote to memory of 4464	3804	cmd.exe	113
PID 3048 wrote to memory of 4368	3048	cmd.exe	118
PID 3048 wrote to memory of 4368	3048	cmd.exe	118
PID 1176 wrote to memory of 540	1176	cmd.exe	119
PID 1176 wrote to memory of 540	1176	cmd.exe	119
PID 1608 wrote to memory of 1904	1608	cmd.exe	124
PID 1608 wrote to memory of 1904	1608	cmd.exe	124
PID 3608 wrote to memory of 1188	3608	cmd.exe	125
PID 3608 wrote to memory of 1188	3608	cmd.exe	125
PID 2852 wrote to memory of 2592	2852	cmd.exe	138
PID 2852 wrote to memory of 2592	2852	cmd.exe	138
PID 512 wrote to memory of 5852	512	cmd.exe	139
PID 512 wrote to memory of 5852	512	cmd.exe	139
PID 4084 wrote to memory of 6108	4084	cmd.exe	140
PID 4084 wrote to memory of 6108	4084	cmd.exe	140
PID 1520 wrote to memory of 2168	1520	cmd.exe	141
PID 1520 wrote to memory of 2168	1520	cmd.exe	141
PID 5536 wrote to memory of 1392	5536	cmd.exe	142
PID 5536 wrote to memory of 1392	5536	cmd.exe	142
PID 1792 wrote to memory of 1468	1792	cmd.exe	143
PID 1792 wrote to memory of 1468	1792	cmd.exe	143
PID 556 wrote to memory of 920	556	cmd.exe	148
PID 556 wrote to memory of 920	556	cmd.exe	148
PID 3480 wrote to memory of 5408	3480	cmd.exe	149
PID 3480 wrote to memory of 5408	3480	cmd.exe	149
PID 4864 wrote to memory of 3384	4864	cmd.exe	154
PID 4864 wrote to memory of 3384	4864	cmd.exe	154
PID 4964 wrote to memory of 3652	4964	cmd.exe	155
PID 4964 wrote to memory of 3652	4964	cmd.exe	155
PID 456 wrote to memory of 4332	456	cmd.exe	160
PID 456 wrote to memory of 4332	456	cmd.exe	160
PID 5092 wrote to memory of 5364	5092	cmd.exe	161
PID 5092 wrote to memory of 5364	5092	cmd.exe	161
PID 4940 wrote to memory of 5648	4940	cmd.exe	167
PID 4940 wrote to memory of 5648	4940	cmd.exe	167
PID 1644 wrote to memory of 4440	1644	cmd.exe	168
PID 1644 wrote to memory of 4440	1644	cmd.exe	168
PID 3916 wrote to memory of 1696	3916	cmd.exe	173
PID 3916 wrote to memory of 1696	3916	cmd.exe	173
PID 2640 wrote to memory of 5248	2640	cmd.exe	174
PID 2640 wrote to memory of 5248	2640	cmd.exe	174
PID 4300 wrote to memory of 2784	4300	cmd.exe	179

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\mghc.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\MDI.exe
    "C:\Users\Admin\AppData\Local\Temp\MDI.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 67 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MDI.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Update\Windows Update.exe" && ping 127.0.0.1 -n 67 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Update\Windows Update.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:912
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 67
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 67
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4616
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3596
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4380
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5984
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:812
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3396
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2280
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5152
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3996
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2044
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3108
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:6024
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5508
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5576
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4380
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4988
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5780
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4204
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3392
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5972
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5460
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2004
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1184
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5496
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3528
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5804
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2240
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5180
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4560
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4048
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5336
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4608
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5568
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2392
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4676
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5860
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:6072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4116
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:512
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:720
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3420
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3064
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3480
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2172
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4700
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:456
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4592
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5996
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1028
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1840
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3416
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3588
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4364
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1908
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:992
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1716
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1492
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5452
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4040
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:2404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5892
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1728
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:3904
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:5324
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:1920
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:6136
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4764
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
1⤵
PID:4260
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\rscvs.js"
  2⤵
  PID:4140

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MDI.exe

Filesize
607KB

MD5
907e3087cc9014ccb0eba8f321215345

SHA1
f4c0a20db0257fdfcbef799270a70ca30fac5674

SHA256
1dd76fc9ad34b7338fddf1776facb72438c71604c32e589318fb7b1b669af770

SHA512
5acd3533cce933e62f5f1a784148c8ef7899e7c07ba1bac6953660839cbb499d7f5621431ff49622b62cfae59e0e50d4895dd14d79e2790fe6668a73ed88b481

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
830KB

MD5
11f91ecd53dbb491d93234256a1d63b7

SHA1
4f892558c441cbe13562f3c1836afb69f6eda704

SHA256
050b09d8b0ccc27396094c20ff0ea3973293194401157de1e61d89d519e9bb2d

SHA512
596adf47267879aeda7637c753702d2b30251de9386cbe624f0b7b3a408f8405503e94e1a22ab9f86b5b883b8344d87c3c29970abcdf368734002b5ca8e831be

Download Submit
C:\Users\Admin\AppData\Local\Temp\rscvs.js

Filesize
283KB

MD5
3915ec56ac7e4bf84a0aadfb77a77b8c

SHA1
16803d013b9e62412bbb6ee214d5a5af16ee9ec0

SHA256
358144a1167fa03eb8829dd4d5fd67e00ed4374eca99b26dda0589e8a4048ba2

SHA512
b89d5c0e2cc811e6f4f77d18e91ca922b7a5b97730f160392f4ea0a1db77d1a4bfb7fe2ab2074d3037f6fb579b88e908cdcc0f9ee308b118ad1ca7ca2eb00a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js

Filesize
64KB

MD5
a3fcf91df78f81894c2d909e8f2201ec

SHA1
1f30d8d5cf0903fd612bc4fc09f229145cc2603c

SHA256
c0e26922fb7c4bd6c2ec726a85239fd488e2d8a7c9968759a8d9c1dc7b7aa20a

SHA512
88b7901bb4aa4bbccea19201dd5f8d47494b141a9a99859d8510c87d3ac3e5e03a20077d6f8b4dfb1faeeae83c79c346eb85b70f0be620804e77513183e64a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rscvs.js

Filesize
256KB

MD5
b9e6d8fa204d83d068c12370af1620f3

SHA1
10e2bef0e7567e2ef2d9b9102094997e222e057b

SHA256
bfd33a1d67bb723b4de5b4bfa53079446204e8331025635c335f34c7ab78bf53

SHA512
c2d332ebc93cd03d1894c5801187fcfcbb8f5728d37cf950ccb70711ccd77918072f573362bba37adf26d3eaa79d98325c1f195b3cc9fc38b9d3d3204eb1ff39

Download Submit
memory/4716-24-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/4716-25-0x00000000066F0000-0x0000000006A44000-memory.dmp

Filesize
3.3MB

Download
memory/4716-26-0x0000000006BD0000-0x0000000006BDA000-memory.dmp

Filesize
40KB

Download
memory/4716-27-0x0000000006C00000-0x0000000006C26000-memory.dmp

Filesize
152KB

Download
memory/4716-23-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/4716-22-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/4716-21-0x0000000000A90000-0x0000000000B2E000-memory.dmp

Filesize
632KB

Download