Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

Complaint_Copy_798708.wsf

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 20, 2023, 11:20 a.m.	April 20, 2023, 11:22 a.m.

Size	17.6KB
Type	ASCII text, with very long lines, with CRLF, LF line terminators
MD5	`c91431eb09675290e644c2e8a07213cd`
SHA256	`b3fe399fba93aff43112369ae44a6db80a16dcaf72b5dd5a66a4a6ee216e15ec`
CRC32	`122BDF06`
ssdeep	`384:X3kgIqQwE5nyQaDfTEnJEBtjHzTvfK9whxUPbJmUtPYZWxDUk:X3JIm3DfTdjTTyX1ZOWr`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Complaint_Copy_798708.wsf
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
85.239.53.73	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Communicates with host for which no DNS query was performed (1 event)

host

85.239.53.73

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 20, 2023, 11:20 a.m.	url: http://85.239.53.73/aO03psmvtKQU.dat flags: 0	1	1	0
HttpOpenRequestW April 20, 2023, 11:20 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /aO03psmvtKQU.dat	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 20, 2023, 11:20 a.m.	url: http://85.239.53.73/aO03psmvtKQU.dat flags: 0	1	1	0
HttpOpenRequestW April 20, 2023, 11:20 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /aO03psmvtKQU.dat	1	13369356	0
send April 20, 2023, 11:20 a.m.	buffer: ! socket: 872 sent: 1	1	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

85.239.53.73:80