Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 8, 2023, 9:40 a.m.	Nov. 8, 2023, 9:42 a.m.

Size	209.1KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5	`f98b2d9799e83e700d3be6e231c3e615`
SHA256	`5f68fdf47b0e899369554258245c474772ba2dd1d10263200c93e988d41e22ff`
CRC32	`50715B5D`
ssdeep	`384:METIaiLgLQuwArA13wb06k/PTu6XYw7vpgGD/VAgkecH4DtPlFB4EUFbF2hrsF2v:METIVbgdMlNhoFr2Ka`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\work.vbs
2548

Name	Response	Post-Analysis Lookup
chongmei33.publicvm.com	A 103.47.144.63	103.47.144.63

IP Address	Status	Action
103.47.144.63	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 95 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2023, 9:41 a.m.	computer_name: TEST22-PC	1	1

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Nov. 8, 2023, 9:40 a.m.	number_of_free_clusters: 3252919 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:40 a.m.	number_of_free_clusters: 3252919 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:40 a.m.	number_of_free_clusters: 3252899 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252899 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252899 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252899 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252899 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 2240781 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252879 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252879 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252751 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252751 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:41 a.m.	number_of_free_clusters: 3252745 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:42 a.m.	number_of_free_clusters: 3252745 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:42 a.m.	number_of_free_clusters: 3252745 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:42 a.m.	number_of_free_clusters: 3252745 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:42 a.m.	number_of_free_clusters: 3252745 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:42 a.m.	number_of_free_clusters: 3252744 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Nov. 8, 2023, 9:42 a.m.	number_of_free_clusters: 3252744 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (38 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Nov. 8, 2023, 9:40 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:40 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:40 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (40 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\work	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\work.vbs"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (19 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 57 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Nov. 8, 2023, 9:40 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:40 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:40 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:40 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:40 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:40 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:41 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:41 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:42 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:42 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Nov. 8, 2023, 9:42 a.m.	buffer: ! socket: 992 sent: 1	1	1
InternetCrackUrlW Nov. 8, 2023, 9:42 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:42 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Skyhigh	VBS/Agent.dy
McAfee	VBS/Agent.dy
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.OXW
Avast	JS:Skiddo-A [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.VBS.Agent.bdq
BitDefender	VB:Trojan.Valyria.4537
NANO-Antivirus	Trojan.Script.Agent.iwquii
MicroWorld-eScan	VB:Trojan.Valyria.4537
Sophos	VBS/DwnLdr-ACDC
F-Secure	Malware.VBS/Dldr.Agent.VPTL
VIPRE	VB:Trojan.Valyria.4537
FireEye	VB:Trojan.Valyria.4537
Emsisoft	VB:Trojan.Valyria.4537 (B)
GData	VB:Trojan.Valyria.4537
Varist	VBS/Dunihi.A
Avira	VBS/Dldr.Agent.VPTL
MAX	malware (ai score=83)
Arcabit	VB:Trojan.Valyria.D11B9
ZoneAlarm	Trojan.VBS.Agent.bdq
Google	Detected
ALYac	VB:Trojan.Valyria.4537
Ikarus	Trojan-Downloader.VBS.Agent
Fortinet	VBS/Agent.OXW!tr
AVG	JS:Skiddo-A [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49162
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49164
dead_host	192.168.56.101:49177
dead_host	103.47.144.63:7045
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49182

work.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All