Various dynamic analysis tools were utilized to examine the behavior of the malicious JavaScript. Upon execution, WScript.exe was observed creating the first file located within C:\Users<Username>\AppData\Roaming\Notepad++\ , as shown in Figure 10. Despite being observed via Windows Sysinternals Process Monitor with a CreateFile event, this was not written to disk and no deletion event was seen.

Shortly after Wscript.exe executed Are_bengal_cats_legal_in_australia_72495.js, Process Hacker showed CScript.exe and Powershell.exe being created with a conhost.exe spawned, as shown in Figure 11. MDR observed that Wscript.exe would terminate, followed by Cscript.exe that would also terminate shortly after, after which Powershell.exe was created.