Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 2, 2023, 8:49 p.m.	Aug. 2, 2023, 8:51 p.m.

Size	623.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`b820ca941ae4e895d4e172de1605a1fd`
SHA256	`24c802a366b3780a4d9745a900b69a4bc8d2c8702a03a8c11bf17997c0db7eaf`
CRC32	`99934981`
ssdeep	`12288:imkSnRikoRDegfDybtFDpJHqNMHBz2W5z02XNv3DfyZqp7oZTOQJ:iHm+ybfD7HqmBztz/R3uZfZqQJ`
PDB Path	C:\Users\media\Documents\GitHub\DX9-Overlay-API\bin\dx9_overlay.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,??_B?1??get_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@CAAAV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@XZ@51
2552
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,??_B?1??get_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@CAAAV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@XZ@51
2636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,??_B?1??get_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@CAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ@51
2728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_const_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAABV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@XZ
2816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_const_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAABV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@XZ
2908
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_const_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SAABV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ
3004
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@CAAAV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@XZ
2084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@CAAAV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@XZ
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@CAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ
2492
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_mutable_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAAAV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@XZ
2668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_mutable_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SAAAV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@XZ
2876
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?get_mutable_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ
812
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@0AAV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@3@A
2216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@0AAV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@3@A
2580
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@0AAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@A
2952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?is_destroyed@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SA_NXZ
2064
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?is_destroyed@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@SA_NXZ
2632
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?is_destroyed@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SA_NXZ
2784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?t@?1??get_instance@?$singleton@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@CAAAV?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@4@XZ@4V?$singleton_wrapper@V?$map@Vtext_iarchive@archive@boost@@@extra_detail@detail@archive@boost@@@734@A
2320
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?t@?1??get_instance@?$singleton@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@serialization@boost@@CAAAV?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@4@XZ@4V?$singleton_wrapper@V?$map@Vtext_oarchive@archive@boost@@@extra_detail@detail@archive@boost@@@734@A
2740
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,?t@?1??get_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@CAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ@4V?$singleton_wrapper@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@st
2904
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxCreate
2888
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxDestroy
2588
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetBorder
3208
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetBorderColor
3348
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetColor
3476
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetHeight
3608
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetPos
3732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetShown
3856
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,BoxSetWidth
3984
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,DestroyAllVisual
1400
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,GetFrameRate
3228
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,GetScreenSpecs
3372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,HideAllVisual
3520
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ImageCreate
3784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ImageDestroy
3952
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ImageSetAlign
3116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ImageSetPos
3376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ImageSetRotation
3536
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ImageSetShown
3756
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,Init
3868
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,LineCreate
3172
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,LineDestroy
3392
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,LineSetColor
3712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,LineSetPos
3764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,LineSetShown
3408
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,LineSetWidth
3800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,SetCalculationRatio
3216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,SetOverlayPriority
3752
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,SetParam
3900
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,ShowAllVisual
3420
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextCreate
3320
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextCreateUnicode
4152
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextDestroy
4276
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextSetColor
4404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextSetPos
4536
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextSetShadow
4684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextSetShown
4816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextSetString
4940
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextSetStringUnicode
5060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextUpdate
4132
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,TextUpdateUnicode
4300
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,enable
4484
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\dx9_overlay.dll,
4676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\Users\media\Documents\GitHub\DX9-Overlay-API\bin\dx9_overlay.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 2, 2023, 8:49 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 2, 2023, 8:49 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 rundll32+0x135c @ 0x5c135c rundll32+0x1901 @ 0x5c1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 2553748 registers.edi: 0 registers.eax: 47680144 registers.ebp: 2553776 registers.edx: 1 registers.ebx: 0 registers.esi: 7660712 registers.ecx: 1932801500	1	0	0
__exception__ Aug. 2, 2023, 8:50 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 rundll32+0x135c @ 0x5c135c rundll32+0x1901 @ 0x5c1901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 718764 registers.edi: 0 registers.eax: 34507408 registers.ebp: 718792 registers.edx: 1 registers.ebx: 0 registers.esi: 3007472 registers.ecx: 1932801500	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 2, 2023, 8:49 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0x5c135c
rundll32+0x1901 @ 0x5c1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 2553748
registers.edi: 0
registers.eax: 47680144
registers.ebp: 2553776
registers.edx: 1
registers.ebx: 0
registers.esi: 7660712
registers.ecx: 1932801500

__exception__

Aug. 2, 2023, 8:50 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
rundll32+0x135c @ 0x5c135c
rundll32+0x1901 @ 0x5c1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 718764
registers.edi: 0
registers.eax: 34507408
registers.ebp: 718792
registers.edx: 1
registers.ebx: 0
registers.esi: 3007472
registers.ecx: 1932801500

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

CrowdStrike	win/grayware_confidence_70% (D)
VBA32	BScope.Trojan.Wacatac

dx9_overlay.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All