wshrat | aba8289d1eacae0e2eac939d757b19a576667e4eb47c1d86cbee0ad73f0b3e1a

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-25013-67789543AX.vbs
Size

20KB
MD5

6b05858262470682bdc3297c6641a3db
SHA1

699d8a5aa6e559cc597db68a9125d804f1350b8a
SHA256

aba8289d1eacae0e2eac939d757b19a576667e4eb47c1d86cbee0ad73f0b3e1a
SHA512

41d2694de39c242c7333ee7e49024229f05fc57ec0b0bd587c98155a6c24a4a72b50b56e4ae9c7a4dfe415923e0796ec53e77e11a7932a30c551a457a560c298
SSDEEP

192:dXPjbMX56FswxMD3AiUAGYsfOnqY6Cw6iO/D4nDSIfwAM65/ZBhb38mBuaZL1xFp:9LwXllDA0GCw6iOb0jf3xTYmBzxFBIw

Score

10^/10

wshrat discovery execution persistence trojan

Malware Config

Extracted

Family

wshrat

http://lee44.kozow.com:6892

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	216	WScript.exe
16	2328	WScript.exe
20	2328	WScript.exe
24	2328	WScript.exe
25	2328	WScript.exe
28	2328	WScript.exe
33	3152	wscript.exe
41	2328	WScript.exe
42	3152	wscript.exe
43	2328	WScript.exe
44	3152	wscript.exe
45	2328	WScript.exe
46	3152	wscript.exe
47	2328	WScript.exe
48	3152	wscript.exe
49	3236	wscript.exe
50	2328	WScript.exe
53	3152	wscript.exe
54	3236	wscript.exe
55	2328	WScript.exe
56	3152	wscript.exe
57	3236	wscript.exe
58	2328	WScript.exe
59	3152	wscript.exe
60	3236	wscript.exe
61	2328	WScript.exe
62	3152	wscript.exe
63	3236	wscript.exe
64	2328	WScript.exe
65	5368	wscript.exe
66	3152	wscript.exe
67	3236	wscript.exe
68	2328	WScript.exe
69	5368	wscript.exe
70	3152	wscript.exe
74	3236	wscript.exe
75	2328	WScript.exe
76	5368	wscript.exe
77	3152	wscript.exe
78	3236	wscript.exe
79	2328	WScript.exe
80	5368	wscript.exe
81	3152	wscript.exe
84	3236	wscript.exe
86	2328	WScript.exe
87	5368	wscript.exe
88	3152	wscript.exe
89	4732	wscript.exe
90	3236	wscript.exe
91	2328	WScript.exe
92	5368	wscript.exe
93	3152	wscript.exe
94	4732	wscript.exe
95	3236	wscript.exe
96	2328	WScript.exe
97	5368	wscript.exe
98	3152	wscript.exe
99	4732	wscript.exe
100	3236	wscript.exe
101	2328	WScript.exe
102	5368	wscript.exe
103	3152	wscript.exe
104	4732	wscript.exe
105	3236	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4836	JaG.exe

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg.exe = "C:\\Users\\Admin\\Audio\\Windows Audio.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3880	cmd.exe
2952	PING.EXE
4464	cmd.exe
864	PING.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	WScript.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2952	PING.EXE
864	PING.EXE

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	50	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	121	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	45	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	48	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	78	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	93	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	105	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	28	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	43	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	55	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	88	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	119	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	47	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	63	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	64	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	91	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	99	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	110	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	112	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	123	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	53	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	80	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	96	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	114	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	115	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	126	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	54	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	116	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	122	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	98	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	16	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	20	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	41	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	44	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	79	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	97	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	33	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	42	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	81	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	101	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	103	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	107	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	113	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	117	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	24	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	66	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	89	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	104	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	128	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	90	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	95	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	127	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	59	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	100	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	109	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	49	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	56	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	94	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript
HTTP User-Agent header	120	WSHRAT\|4AA2680D\|JXPVMCYC\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 15/4/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe
4836	JaG.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	JaG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 216	2744	WScript.exe	84
PID 2744 wrote to memory of 216	2744	WScript.exe	84
PID 216 wrote to memory of 3892	216	WScript.exe	91
PID 216 wrote to memory of 3892	216	WScript.exe	91
PID 3892 wrote to memory of 2328	3892	WScript.exe	93
PID 3892 wrote to memory of 2328	3892	WScript.exe	93
PID 3892 wrote to memory of 4656	3892	WScript.exe	94
PID 3892 wrote to memory of 4656	3892	WScript.exe	94
PID 4656 wrote to memory of 4836	4656	WScript.exe	104
PID 4656 wrote to memory of 4836	4656	WScript.exe	104
PID 4656 wrote to memory of 4836	4656	WScript.exe	104
PID 4880 wrote to memory of 3576	4880	cmd.exe	105
PID 4880 wrote to memory of 3576	4880	cmd.exe	105
PID 4748 wrote to memory of 2364	4748	cmd.exe	106
PID 4748 wrote to memory of 2364	4748	cmd.exe	106
PID 4684 wrote to memory of 3980	4684	cmd.exe	107
PID 4684 wrote to memory of 3980	4684	cmd.exe	107
PID 4800 wrote to memory of 2976	4800	cmd.exe	108
PID 4800 wrote to memory of 2976	4800	cmd.exe	108
PID 5652 wrote to memory of 4956	5652	cmd.exe	116
PID 5652 wrote to memory of 4956	5652	cmd.exe	116
PID 1104 wrote to memory of 2348	1104	cmd.exe	117
PID 1104 wrote to memory of 2348	1104	cmd.exe	117
PID 6112 wrote to memory of 532	6112	cmd.exe	122
PID 6112 wrote to memory of 532	6112	cmd.exe	122
PID 3968 wrote to memory of 4132	3968	cmd.exe	123
PID 3968 wrote to memory of 4132	3968	cmd.exe	123
PID 4836 wrote to memory of 3880	4836	JaG.exe	124
PID 4836 wrote to memory of 3880	4836	JaG.exe	124
PID 4836 wrote to memory of 3880	4836	JaG.exe	124
PID 3880 wrote to memory of 2952	3880	cmd.exe	126
PID 3880 wrote to memory of 2952	3880	cmd.exe	126
PID 3880 wrote to memory of 2952	3880	cmd.exe	126
PID 3516 wrote to memory of 4004	3516	cmd.exe	131
PID 3516 wrote to memory of 4004	3516	cmd.exe	131
PID 4524 wrote to memory of 5596	4524	cmd.exe	132
PID 4524 wrote to memory of 5596	4524	cmd.exe	132
PID 5636 wrote to memory of 4232	5636	cmd.exe	138
PID 5636 wrote to memory of 4232	5636	cmd.exe	138
PID 3100 wrote to memory of 3152	3100	cmd.exe	139
PID 3100 wrote to memory of 3152	3100	cmd.exe	139
PID 3008 wrote to memory of 5560	3008	cmd.exe	152
PID 3008 wrote to memory of 5560	3008	cmd.exe	152
PID 5304 wrote to memory of 1096	5304	cmd.exe	154
PID 5304 wrote to memory of 1096	5304	cmd.exe	154
PID 916 wrote to memory of 4220	916	cmd.exe	153
PID 916 wrote to memory of 4220	916	cmd.exe	153
PID 5688 wrote to memory of 5572	5688	cmd.exe	156
PID 5688 wrote to memory of 5572	5688	cmd.exe	156
PID 4484 wrote to memory of 2864	4484	cmd.exe	155
PID 4484 wrote to memory of 2864	4484	cmd.exe	155
PID 3704 wrote to memory of 400	3704	cmd.exe	157
PID 3704 wrote to memory of 400	3704	cmd.exe	157
PID 3012 wrote to memory of 4988	3012	cmd.exe	163
PID 3012 wrote to memory of 4988	3012	cmd.exe	163
PID 864 wrote to memory of 4916	864	cmd.exe	164
PID 864 wrote to memory of 4916	864	cmd.exe	164
PID 4620 wrote to memory of 4728	4620	cmd.exe	169
PID 4620 wrote to memory of 4728	4620	cmd.exe	169
PID 4896 wrote to memory of 4768	4896	cmd.exe	170
PID 4896 wrote to memory of 4768	4896	cmd.exe	170
PID 3016 wrote to memory of 5724	3016	cmd.exe	175
PID 3016 wrote to memory of 5724	3016	cmd.exe	175
PID 3980 wrote to memory of 5028	3980	cmd.exe	176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-25013-67789543AX.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rHMh.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DPGLXM.js"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:2328
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\notepad.js"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\JaG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaG.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 69 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\Admin\Audio\Windows Audio.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 69
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\Admin\Audio\Windows Audio.exe"
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4856
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 76 > nul && copy "C:\Users\Admin\AppData\Local\Temp\JaG.exe" "C:\Users\Admin\Audio\Windows Audio.exe" && ping 127.0.0.1 -n 76 > nul && "C:\Users\Admin\Audio\Windows Audio.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 76
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5652
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:6112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:5304
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4784
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4196
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5300
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:6112
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4536
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5168
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1356
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1932
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5132
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5424
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3816
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4564
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1604
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4272
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4800
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4876
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:6072
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4412
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5516
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3192
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5868
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3556
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:732
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1380
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5696
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5648
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5360
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5336
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2864
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5384
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2264
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3740
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2188
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4880
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5888
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3488
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Audio\Windows Audio.exe
1⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5056
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4748
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5284
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:220
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2668
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1120
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:6036
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5444
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5656
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5404
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3680
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5804
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1308
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1176
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2468
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3180
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4632
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:6140
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3252
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4792
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3052
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5028
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3096
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5816
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3372
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4292
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3564
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1552
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1660
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2104
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4320
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3192
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4192
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:6088
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3224
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4244
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3976
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2100
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3376
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2500
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1508
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3952
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:8
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1060
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4624
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5316
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4276
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2688
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5032
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4352
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5344
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5436
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5188
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:708
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:6076
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4156
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2820
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2256
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:960
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5824
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1584
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3520
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3440
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:916
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5160
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2008
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3884
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5944
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3228
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2788
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:808
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4912
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3144
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1712
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4872
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4664
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3000
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1816
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2296
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:1948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3056
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4368
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2936
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4956
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:948
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5636
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4388
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3068
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4332
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:3212
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2012
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:4092
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2628
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:5836
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
1⤵
PID:2572
- C:\Windows\system32\wscript.exe
  wscript.exe //B "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  PID:4112

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DPGLXM.js

Filesize
1.3MB

MD5
f1af8190537061397ab2e8b144854f4e

SHA1
48e881915da20c5d14ca6a171a84fab73a4e7ac1

SHA256
a0610c3948c73dc591cc3546a57ffdf70edae3e1f777721750a4c2a63a8faed7

SHA512
da488a8bcfe1f2ea5d3f84a04a589d2a6543e2149d3c90c5d84964c1167c677dc4ed9aa29749e16ff8a0539481089361fdde0af5988434419c13601b790783ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaG.exe

Filesize
491KB

MD5
adf762bbb2c8be6a9d74fa8d12061864

SHA1
ca03b6d76291c442deb540fbca67c03fa2f508f5

SHA256
a3f559206618bc28e74b2b012661b070777a30d8cc25c3c7bd15d647c79f943b

SHA512
3d8884be6be8ed846c7c135ca20448a3f5b9476a0d10daf6ff912b6ed57e6c2654ccdc1cbd0df76d81440683115686b5cf882805cdc496a0a9600ec1b47e4288

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
283KB

MD5
3a199efed5262d76f55274d3047f7b6c

SHA1
4aae67a4755d465d81c03f3ef7abde8973a0c00f

SHA256
e27969a84aeeefa2f89a8cc39b218b90459cc62065dfd3fd732d32e7d7cf6a9e

SHA512
381b6638efc5f995a5ce3e813a45ac791b3fe4610b7eaea594e89023c882b217a423455ff3b21a507116d90f8e4469ea250637aefbdc6a08811fdf0538733194

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.js

Filesize
675KB

MD5
a8d8c98e6f8ebc288e78214951391417

SHA1
88e234df702c519f941d6784c7a2829bdebae954

SHA256
20c1a39b47d0cdd7938ced64f5a0855a6633d5b3f112773797b0e9b4c40eabf6

SHA512
0a61645bed89755fab4fb86298fac8f9f7577547bd83571405969f9a36cdf25d8305cb3de5d38b5fcacf374f6393a558ccb9495e15e0461414d3b58e58ee2170

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHMh.js

Filesize
6KB

MD5
729371c1eb4754f612c5a5896f071886

SHA1
a9a69453d5da0ccf39133dfa82d547e3817615b5

SHA256
c8672671d905b2746a8fc526fb4f5947f0c5a7054409f327ea3550cb0f689360

SHA512
556198019e01641efea08baf24b51e5754bedfddb962232e2f033a90e595c1caf163e7029da17337d9f24ce08fca833614a2df67e8c655cdffcf6e5255f542f9

Download Submit
memory/4836-30-0x00000000003D0000-0x0000000000452000-memory.dmp

Filesize
520KB

Download
memory/4836-31-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/4836-32-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/4836-33-0x0000000004F60000-0x0000000004FFC000-memory.dmp

Filesize
624KB

Download
memory/4836-36-0x0000000004E20000-0x0000000004E46000-memory.dmp

Filesize
152KB

Download
memory/4836-37-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download