Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 15, 2023, 3:04 p.m.	Dec. 15, 2023, 3:14 p.m.

Size	202.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`6ecc1d52fba67fdcade83bbdc9576477`
SHA256	`ee04724662bb9fab4a290c3152a80880c92711f4d999cb7429d6fdee10aaeddd`
CRC32	`BCD084AF`
ssdeep	`3072:zKIGcd/2RapPif65K05LfrwbHyDaO+OtCh6Rs99AjS9IW6GXD/YdhR/ujpuX6gXG:zUcAlwxfr1G1Ok0R09A2KW6ysXvxfL3c`
PDB Path	D:\ä¸æ¹ Visual Studio 2022\Mpclient\Release\Mpclient.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpAllocMemory
2060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpAddDynamicSignatureFile
516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpAmsiCloseSession
2152
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpAmsiNotify
2244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpAmsiScan
2336
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpAsrSetHipsUserExclusion
2444
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpChangeCapability
2548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForClipboardOperation
2640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForClipboardOperationEx
2764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForClipboardOperationEx2
2864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForDragDropOperation
2956
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForDragDropOperation2
3056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForPrintOperation
2192
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCheckAccessForPrintOperation2
2324
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCleanControl
2456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCleanOpen
2560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCleanPrecheckStart
2708
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCleanStart
2848
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpClientUtilExportFunctions
3000
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpClose
3048
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigClose
2260
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigDelValue
2428
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigGetValue
2580
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigGetValueAlloc
2788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigInitialize
2936
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigIteratorClose
2704
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigIteratorEnum
2356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigIteratorEnumV2
2340
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigIteratorOpen
108
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigOpen
2320
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigQueryProtection
2228
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigRefresh
2352
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigRegisterForNotifications
2644
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigSetValue
3044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigUninitialize
2400
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConfigUnregisterNotifications
2904
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConveyDlpBypass
2944
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConveySampleSubmissionResult
2852
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConveyUserChoiceForDlpNotification
2624
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConveyUserChoiceForDlpNotificationEx
2816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpConveyUserChoiceForSampleList
2692
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpCreateComInstance
932
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDbgAllocMemory
2588
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDebugExportFunctions
3132
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDefenderIsPrintAccessCheckNeeded
3228
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDefenderPrintAccessCheck
3324
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDefenderPrintDataProvide
3420
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDelegateCopyFile
3516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDeleteAsrHistory
3612
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDetectionEnumerate
3708
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDetectionQuery
3800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDeviceControlAuthenticateNetworkShare
3900
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDeviceControlValidateDataDuplicationRemoteLocationConfiguration
3996
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpCheckAccessForBuffer
4084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpDelegateEnforcement
3168
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpGetEvidenceFileUrl
3300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpGetOperationEnforcmentMode
3452
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpInitializeEnforcementMode
3328
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyCloseDocumentFile
3700
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyPostOpenDocumentFile
3820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyPostSaveAsDocument
3856
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyPostStartPrint
3084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyPreOpenDocumentFile
3212
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyPrePrint
3368
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDlpNotifyPreSaveAsDocument
3548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDynamicSignatureEnumerate
3744
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpDynamicSignatureOpen
3712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpElevateCleanHandle
4076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpElevationHandleAcquire
4000
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\Mpclient.dll,MpElevationHandleActivate
3496

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 68 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0
IsDebuggerPresent Dec. 15, 2023, 3:04 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\ä¸æ¹ Visual Studio 2022\Mpclient\Release\Mpclient.pdb

Allocates read-write-execute memory (usually to unpack itself) (50 out of 408 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 3:04 p.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Jaik.101379
Sangfor	Trojan.Win32.Rozena.Vdxq
Symantec	Trojan.Gen.MBT
ESET-NOD32	Win32/Rozena.BUF
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Jaik.101379
Avast	FileRepMalware [Misc]
Emsisoft	Gen:Variant.Jaik.101379 (B)
Ikarus	Win32.Outbreak
Antiy-AVL	Trojan/Win32.Rozena
Microsoft	Trojan:Win32/Malgent!MSR
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Jaik.101379
Google	Detected
VBA32	SigCompromised.MEDIATEKINC
MAX	malware (ai score=83)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R014H0DLE23
Rising	Trojan.Rozena!8.6D (TFE:5:H0Bz8OO6O3T)
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS

Mpclient.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All