Second-stage payload
Upon review of the running processes, we were able to determine that a small JavaScript file was dropping a large JavaScript file at the location C:\Users<Username>\AppData\RoamingMicrosoft\ on the user’s machine. During our testing, the large JavaScript file generated by the malicious site and its name, downloaded to the user’s %temp% directory, were different each time the initial JavaScript was executed. The file we observed in this case was named Temp1_Are_bengal_cats_legal_in_australia_33924.zip\are_bengal_cats_legal_in_australia_80872.js.