Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 5, 2023, 4:40 p.m.	June 5, 2023, 4:42 p.m.

Size	8.0MB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`30e1d0c1941167612a1da0bb79a03be8`
SHA256	`01fd9d0fefc8a123f59347eb48de14336d641b22440ba20b6724f506b0a892ad`
CRC32	`4AA2E919`
ssdeep	`196608:MqwXvaXu8N9GEFH20R85wLIhiNz6aWSzJUovW:6AH2I8czN+tSzJxW`
PDB Path	d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb
Yara	UPX_Zero - UPX packed file IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RAROpenArchive
2188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARGetDllVersion
3056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RAROpenArchiveEx
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARProcessFile
2428
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARProcessFileW
2524
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARReadHeader
564
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARReadHeaderEx
2136
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARSetCallback
2820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARSetChangeVolProc
1636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARSetPassword
2312
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,RARSetProcessDataProc
1568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,VolPro
1700
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\DVolPro.dll,
2484

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (12 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0
IsDebuggerPresent June 5, 2023, 4:40 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 5, 2023, 4:40 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.0x7950
section	.0x7951

One or more processes crashed (17 events)

Time & API	Arguments	Status
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x28f104 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2681944 registers.edi: 1901527040 registers.eax: 3200643840 registers.ebp: 2683080 registers.edx: 53 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x2af010 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2812772 registers.edi: 1901527040 registers.eax: 3704049194 registers.ebp: 2813908 registers.edx: 53 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x1ef414 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2027368 registers.edi: 1901527040 registers.eax: 4112341883 registers.ebp: 2028504 registers.edx: 53 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0xf4135c rundll32+0x1901 @ 0xf41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 2029644 registers.edi: 0 registers.eax: 47772280 registers.ebp: 2029672 registers.edx: 1 registers.ebx: 0 registers.esi: 4582848 registers.ecx: 1945384660	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x2df804 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 3011416 registers.edi: 1901527040 registers.eax: 2623361876 registers.ebp: 3012552 registers.edx: 53 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0xf4135c rundll32+0x1901 @ 0xf41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 3013692 registers.edi: 0 registers.eax: 47812480 registers.ebp: 3013720 registers.edx: 1 registers.ebx: 0 registers.esi: 3599808 registers.ecx: 1945384660	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x2af4bc exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2813968 registers.edi: 1901527040 registers.eax: 300664812 registers.ebp: 2815104 registers.edx: 54 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x2bf31c exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2879088 registers.edi: 1901527040 registers.eax: 3214530719 registers.ebp: 2880224 registers.edx: 53 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x1ff464 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2092984 registers.edi: 1901527040 registers.eax: 2543358321 registers.ebp: 2094120 registers.edx: 54 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x28f0ec exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 2681920 registers.edi: 1901527040 registers.eax: 1171745117 registers.ebp: 2683056 registers.edx: 55 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0xf4135c rundll32+0x1901 @ 0xf41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 2684196 registers.edi: 0 registers.eax: 48231032 registers.ebp: 2684224 registers.edx: 1 registers.ebx: 0 registers.esi: 5369280 registers.ecx: 1945384660	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x13f208 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 1305948 registers.edi: 1901527040 registers.eax: 3544293862 registers.ebp: 1307084 registers.edx: 55 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0xf4135c rundll32+0x1901 @ 0xf41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 1308224 registers.edi: 0 registers.eax: 13562488 registers.ebp: 1308252 registers.edx: 1 registers.ebx: 0 registers.esi: 6090200 registers.ecx: 1945384660	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x15f60c exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 1438048 registers.edi: 1901527040 registers.eax: 441819681 registers.ebp: 1439184 registers.edx: 56 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0x1df514 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 1962088 registers.edi: 1901527040 registers.eax: 2422450080 registers.ebp: 1963224 registers.edx: 56 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 rundll32+0x135c @ 0xf4135c rundll32+0x1901 @ 0xf41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 1964364 registers.edi: 0 registers.eax: 12120696 registers.ebp: 1964392 registers.edx: 1 registers.ebx: 0 registers.esi: 5172704 registers.ecx: 1945384660	1
__exception__ June 5, 2023, 4:40 p.m.	stacktrace: RAROpenArchive+0x7b2838 dvolpro+0x7bc948 @ 0x71d2c948 0xbf214 exception.instruction_r: 90 68 a5 a7 c8 f9 e8 37 6a 98 ff c9 b9 35 7d ec exception.instruction: nop exception.exception_code: 0x80000004 exception.symbol: RAROpenArchive+0xd5bab0 dvolpro+0xd65bc0 exception.address: 0x722d5bc0 registers.esp: 781672 registers.edi: 1901527040 registers.eax: 419208073 registers.ebp: 782808 registers.edx: 57 registers.ebx: 0 registers.esi: 0 registers.ecx: 838	1

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 3056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2428 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2524 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ee3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71d1e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2023, 4:40 p.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x007d1c00', u'virtual_address': u'0x00636000', u'entropy': 7.9794641777676745, u'name': u'.0x7951', u'virtual_size': u'0x007d1af0'}

entropy

7.97946417777

description

A section with a high entropy has been found

entropy

0.983057090239

description

Overall entropy of this PE file is high

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.67081981
McAfee	Artemis!30E1D0C19411
VIPRE	Trojan.GenericKD.67081981
Sangfor	Trojan.Win32.Agent.Vku9
Alibaba	Packed:Win32/VMProtect.682ed7e9
BitDefenderTheta	Gen:NN.ZedlaF.36250.@F!@aW8tn2pi
Cyren	W32/ABRisk.BJTL-6045
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.VMProtect.ACR
BitDefender	Trojan.GenericKD.67081981
Avast	Win32:Trojan-gen
Rising	Trojan.Generic@AI.86 (RDML:8DA6E998ht54ldGUo3Pn6g)
Emsisoft	Trojan.GenericKD.67081981 (B)
DrWeb	Program.Unwanted.5065
Zillya	Trojan.VMProtect.Win32.81036
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.30e1d0c194116761
Sophos	Mal/Generic-R
Ikarus	Trojan.Win32.VMProtect
GData	Trojan.GenericKD.67081981
Webroot	Pua.Gen
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Gridinsoft	Trojan.Win32.Packed.ns
Arcabit	Trojan.Generic.D3FF96FD
Google	Detected
ALYac	Trojan.GenericKD.67081981
Cylance	unsafe
Panda	Trj/RnkBend.A
TrendMicro-HouseCall	TROJ_GEN.R002H09EH23
MaxSecure	Trojan.Malware.208598429.susgen
Fortinet	Riskware/Application
AVG	Win32:Trojan-gen
DeepInstinct	MALICIOUS

DVolPro.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All