Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2023, 9:40 a.m.	June 7, 2023, 9:42 a.m.

Size	4.6MB
Type	ASCII text, with very long lines, with no line terminators
MD5	`e8150ba03200183abce718f6b028b2c3`
SHA256	`3f3ee13d1a86d8f63c3c730556cfcff2a1f8d22980fdc001b5240ce7315dcd23`
CRC32	`ADB463A0`
ssdeep	`24576:p5K1gGMDzG6PbjQ46Te9iEQokfhrC/SwzkfHGi9xM7LHyG9XqUrQdAtzkTGCJTrK:G3Fmv`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ShippingDetails.js
2556
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js"
  2696
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
  2740
  - wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js"
    2944

Name	Response	Post-Analysis Lookup
jemyy.theworkpc.com	A 109.248.144.235	109.248.144.235

IP Address	Status	Action
109.248.144.235	Active	Moloch
139.177.146.165	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 137 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 7, 2023, 9:40 a.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 9:40 a.m.	process_identifier: 2740 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 9:40 a.m.	process_identifier: 2944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wscript.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW June 7, 2023, 9:40 a.m.	number_of_free_clusters: 3249414 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2023, 9:40 a.m.	number_of_free_clusters: 3249402 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2023, 9:41 a.m.	number_of_free_clusters: 3249318 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2023, 9:41 a.m.	number_of_free_clusters: 3249184 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW June 7, 2023, 9:42 a.m.	number_of_free_clusters: 3249184 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Avast	Other:Malware-gen [Trj]
BitDefender	Trojan.GenericKD.67395085
MicroWorld-eScan	Trojan.GenericKD.67395085
FireEye	Trojan.GenericKD.67395085
GData	Trojan.GenericKD.67395085
Gridinsoft	Trojan.U.Gen.bot
Microsoft	Trojan:Win32/Casdet!rfn
MAX	malware (ai score=82)
AVG	Other:Malware-gen [Trj]

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

139.177.146.165

Wscript.exe initiated network communications indicative of a script based payload download (50 out of 62 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:42 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:42 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 7, 2023, 9:42 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356

Installs itself for autorun at Windows startup (14 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ShippingDetails	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"

A potential heapspray has been detected. 93 megabytes was sprayed onto the heap of the wscript.exe process (1 event)

count

4782

name

heapspray

process

wscript.exe

total_mb

length

20480

protection

PAGE_READWRITE

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (31 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 93 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:42 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:42 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:42 a.m.	url: http://jemyy.theworkpc.com:5401/Vre flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send June 7, 2023, 9:42 a.m.	buffer: ! socket: 1020 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1108 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:40 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 7, 2023, 9:40 a.m.	buffer: ! socket: 1108 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send June 7, 2023, 9:41 a.m.	buffer: ! socket: 1108 sent: 1	1	1
InternetCrackUrlW June 7, 2023, 9:41 a.m.	url: http://139.177.146.165:4848/is-ready flags: 0	1	1
HttpOpenRequestW June 7, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js"
parent_process	wscript.exe	martian_process	wscript //B "C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js"
parent_process	wscript.exe	martian_process	wscript.exe //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\ShippingDetails.js"
parent_process	wscript.exe	martian_process	wscript //B "C:\Users\test22\AppData\Roaming\VQlpXNzQJz.js"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (28 events)

dead_host	139.177.146.165:4848
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49193
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49198
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49186
dead_host	109.248.144.235:5401
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49195
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49164
dead_host	192.168.56.101:49183

ShippingDetails.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All