Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 13, 2025, 3:18 p.m.	April 13, 2025, 3:28 p.m.

Size	461.4KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9308044d486d7b3f5ffee3f41d3f7881`
SHA256	`a4846d7540225062d89a5bb08fdc3ed947e0ca684507a5f21bfe7d71bbcc2dd3`
CRC32	`EE66559B`
ssdeep	`6144:CLgtRLl3jFbiumDh4Su7XjnEyL8h+uACdWfdoxn67CQQdzS5gaMC2eY:CLSLl3pdm92QIloxnMcYrMBeY`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

rxm.exe "C:\Users\test22\AppData\Local\Temp\rxm.exe"
2572
- csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ytbmikqy.cmdline"
  2716
  - cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFC13.tmp" "c:\Users\test22\AppData\Local\Temp\CSC1AE3A189E48E4B51A8259854D939E873.TMP"
    2780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
77.223.119.85	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 77.223.119.85:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 77.223.119.85:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 77.223.119.85:80 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.223.119.85:80 -> 192.168.56.101:49161	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.223.119.85:80 -> 192.168.56.101:49161	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49175 77.223.119.85:1414	CN=Loader Panel/OU=qwqdanchun/O=DcRat By qwqdanchun/L=SH/C=CN	CN=DcRat	f8:8b:52:df:c9:ff:7b:42:3e:47:9a:47:43:ee:6b:05:57:b1:49:35

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2025, 3:18 p.m.			0	0
IsDebuggerPresent April 13, 2025, 3:18 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (9 events)

Time & API	Arguments	Status	Return
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00638418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00638418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00638418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00638418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00638398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2025, 3:18 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006382d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2025, 3:18 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://77.223.119.85/tb.exe

Performs some HTTP requests (1 event)

request

GET http://77.223.119.85/tb.exe

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2716 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2716 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02290000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	c:\Users\test22\AppData\Local\Temp\ytbmikqy.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\ytbmikqy.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 13, 2025, 3:18 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 13, 2025, 3:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (6 events)

Time & API	Arguments	Status
NtTerminateProcess April 13, 2025, 3:18 p.m.	status_code: 0xffffffff process_identifier: 2828 process_handle: 0x00000234
NtTerminateProcess April 13, 2025, 3:18 p.m.	status_code: 0xffffffff process_identifier: 2828 process_handle: 0x00000234	1
NtTerminateProcess April 13, 2025, 3:18 p.m.	status_code: 0xffffffff process_identifier: 2864 process_handle: 0x00000238
NtTerminateProcess April 13, 2025, 3:18 p.m.	status_code: 0xffffffff process_identifier: 2864 process_handle: 0x00000238	1
NtTerminateProcess April 13, 2025, 3:18 p.m.	status_code: 0xffffffff process_identifier: 2900 process_handle: 0x0000023c
NtTerminateProcess April 13, 2025, 3:18 p.m.	status_code: 0xffffffff process_identifier: 2900 process_handle: 0x0000023c	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ytbmikqy.cmdline"

Communicates with host for which no DNS query was performed (1 event)

host

77.223.119.85

Allocates execute permission to another process indicative of possible code injection (4 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2828 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc		3221225496
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2864 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000328		3221225496
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2900 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200		3221225496
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2936 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0

Deletes executed files from disk (2 events)

file	c:\Users\test22\AppData\Local\Temp\CSC1AE3A189E48E4B51A8259854D939E873.TMP
file	C:\Users\test22\AppData\Local\Temp\RESFC13.tmp

Manipulates memory of a non-child process indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 manipulating memory of non-child process 2828
Process injection	Process 2572 manipulating memory of non-child process 2864
Process injection	Process 2572 manipulating memory of non-child process 2900
Process injection	Process 2572 manipulating memory of non-child process 2936
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2828 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc		3221225496	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2864 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000328		3221225496	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2900 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200		3221225496	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2936 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 injected into non-child 2936
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGÚÕà"0n· À@ `·WÀªà H.textt `.rsrcªÀ@@.relocà @B base_address: 0x00400000 process_identifier: 2936 process_handle: 0x00000208	1	1	0
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: P8h À ÀÃê 4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfo\000004b0$CommentsCxApp,CompanyNameCxApp4FileDescriptionCxApp0FileVersion1.0.0.02 InternalNameStub.exeTLegalCopyrightCopyright © CxApp 20254LegalTrademarksCxApp: OriginalFilenameStub.exe,ProductNameCxApp4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0057c000 process_identifier: 2936 process_handle: 0x00000208	1	1	0
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: °p7 base_address: 0x0057e000 process_identifier: 2936 process_handle: 0x00000208	1	1	0
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2936 process_handle: 0x00000208	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 injected into non-child 2936
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGÚÕà"0n· À@ `·WÀªà H.textt `.rsrcªÀ@@.relocà @B base_address: 0x00400000 process_identifier: 2936 process_handle: 0x00000208	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 called NtSetContextThread to modify thread in remote process 2936
NtSetContextThread April 13, 2025, 3:18 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5748590 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 2936	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2572 resumed a thread in remote process 2936
NtResumeThread April 13, 2025, 3:18 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2936	1	0	0

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetectMalware.CS
Cylance	Unsafe
VIPRE	Gen:Trojan.Mardom.MN.24
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Gen:Trojan.Mardom.MN.24
Arcabit	Trojan.Mardom.MN.24
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.RXI
APEX	Malicious
Kaspersky	VHO:Backdoor.MSIL.XWorm.gen
MicroWorld-eScan	Gen:Trojan.Mardom.MN.24
Emsisoft	Gen:Trojan.Mardom.MN.24 (B)
DrWeb	Trojan.DownLoader48.29860
CTX	exe.trojan.mardom
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Kingsoft	malware.kb.c.1000
AhnLab-V3	Malware/Win.Mardom.C5751795
DeepInstinct	MALICIOUS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Fortinet	MSIL/Agent.RXI!tr

Executed a process and injected code into it, probably while unpacking (25 events)

Time & API	Arguments	Status	Return
NtResumeThread April 13, 2025, 3:18 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2572	1	0
NtResumeThread April 13, 2025, 3:18 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2572	1	0
NtResumeThread April 13, 2025, 3:18 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2572	1	0
NtResumeThread April 13, 2025, 3:18 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2572	1	0
CreateProcessInternalW April 13, 2025, 3:18 p.m.	thread_identifier: 2720 thread_handle: 0x00000370 process_identifier: 2716 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ytbmikqy.cmdline" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000374	1	1
CreateProcessInternalW April 13, 2025, 3:18 p.m.	thread_identifier: 2832 thread_handle: 0x00000230 process_identifier: 2828 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001fc	1	1
NtGetContextThread April 13, 2025, 3:18 p.m.	thread_handle: 0x00000230	1	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2828 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc		3221225496
CreateProcessInternalW April 13, 2025, 3:18 p.m.	thread_identifier: 2868 thread_handle: 0x00000234 process_identifier: 2864 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000328	1	1
NtGetContextThread April 13, 2025, 3:18 p.m.	thread_handle: 0x00000234	1	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2864 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000328		3221225496
CreateProcessInternalW April 13, 2025, 3:18 p.m.	thread_identifier: 2904 thread_handle: 0x00000238 process_identifier: 2900 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000200	1	1
NtGetContextThread April 13, 2025, 3:18 p.m.	thread_handle: 0x00000238	1	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2900 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200		3221225496
CreateProcessInternalW April 13, 2025, 3:18 p.m.	thread_identifier: 2940 thread_handle: 0x0000023c process_identifier: 2936 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000208	1	1
NtGetContextThread April 13, 2025, 3:18 p.m.	thread_handle: 0x0000023c	1	0
NtAllocateVirtualMemory April 13, 2025, 3:18 p.m.	process_identifier: 2936 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000208	1	0
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELGÚÕà"0n· À@ `·WÀªà H.textt `.rsrcªÀ@@.relocà @B base_address: 0x00400000 process_identifier: 2936 process_handle: 0x00000208	1	1
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: base_address: 0x00402000 process_identifier: 2936 process_handle: 0x00000208	1	1
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: P8h À ÀÃê 4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfo\000004b0$CommentsCxApp,CompanyNameCxApp4FileDescriptionCxApp0FileVersion1.0.0.02 InternalNameStub.exeTLegalCopyrightCopyright © CxApp 20254LegalTrademarksCxApp: OriginalFilenameStub.exe,ProductNameCxApp4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0057c000 process_identifier: 2936 process_handle: 0x00000208	1	1
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: °p7 base_address: 0x0057e000 process_identifier: 2936 process_handle: 0x00000208	1	1
WriteProcessMemory April 13, 2025, 3:18 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2936 process_handle: 0x00000208	1	1
NtSetContextThread April 13, 2025, 3:18 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 5748590 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000023c process_identifier: 2936	1	0
NtResumeThread April 13, 2025, 3:18 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2936	1	0
CreateProcessInternalW April 13, 2025, 3:18 p.m.	thread_identifier: 2784 thread_handle: 0x000000d4 process_identifier: 2780 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFC13.tmp" "c:\Users\test22\AppData\Local\Temp\CSC1AE3A189E48E4B51A8259854D939E873.TMP" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000000d0	1	1

rxm.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All