popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

uDUxwumDrV.dll

OS Processor Check PE64 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x3201 April 28, 2021, 4:06 p.m. April 28, 2021, 4:07 p.m.
Size 15.9MB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 ee03a7aafeaa2e4b937066e5efe8016f
SHA256 071726ffe3567442cc251bb3bf1b72db413081cbe1a41483c8cc230c31834816
CRC32 3AA46985
ssdeep 196608:TtPW0qJXS7S/PzVjqjKj4U1tc18OXVmJXSMKAQPJjDqPXDKw9AHurr6:Tt6Jjvj1tc1XVmJXvKAykPXOwuHh
Yara
  • PE_Header_Zero - PE File Signature
  • IsDLL - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section ?MYF.v\x1d%
section bX,7Ic,:
section 7vVtIR\x1fP
section 8:!CD-Y#
section lX9\x1cFMLW
section YT;jIN:!
section B;bdgtRg
section TD_8>Y0q
section =\Q-FAQc
section \x1c*\x1eHAdSP
section V:D8)cUm
section S%w9EedK
section vdR&<rVA
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x776ed08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x776e964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x776d4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x776d6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x776de825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x776d6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x776d5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x776d49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x776d5a20
RtlClearBits+0x2d8 TpCheckTerminateWorker-0x1a ntdll+0x5d700 @ 0x77aed700
LdrShutdownProcess+0x97 RtlSubtreePredecessor-0x503 ntdll+0x5e449 @ 0x77aee449
RtlExitUserProcess+0x74 RtlDetectHeapLeaks-0x4e ntdll+0x5e19f @ 0x77aee19f
ExitProcess+0x15 TerminateThread-0x143 kernel32+0x52164 @ 0x762e2164
rundll32+0x135c @ 0xf3135c
rundll32+0x1901 @ 0xf31901
BaseThreadInitThunk+0x12 SetUnhandledExceptionFilter-0xbc kernel32+0x53c45 @ 0x762e3c45
RtlInitializeExceptionChain+0xef RtlFreeSid-0x117 ntdll+0x637f5 @ 0x77af37f5
RtlInitializeExceptionChain+0xc2 RtlFreeSid-0x144 ntdll+0x637c8 @ 0x77af37c8

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x77703ef4
registers.esp: 2423704
registers.edi: 0
registers.eax: 15703592
registers.ebp: 2423732
registers.edx: 1
registers.ebx: 0
registers.esi: 4777704
registers.ecx: 1936537052
1 0 0
section {u'size_of_data': u'0x00048a00', u'virtual_address': u'0x006b1000', u'entropy': 7.9991395216885115, u'name': u'TD_8>Y0q', u'virtual_size': u'0x000488e0'} entropy 7.99913952169 description A section with a high entropy has been found
section {u'size_of_data': u'0x00050200', u'virtual_address': u'0x006fa000', u'entropy': 7.995932504638369, u'name': u'=\\Q-FAQc', u'virtual_size': u'0x000501c0'} entropy 7.99593250464 description A section with a high entropy has been found
section {u'size_of_data': u'0x0057d000', u'virtual_address': u'0x0074b000', u'entropy': 7.863972219166107, u'name': u'\\x1c*\\x1eHAdSP', u'virtual_size': u'0x0057ce61'} entropy 7.86397221917 description A section with a high entropy has been found
section {u'size_of_data': u'0x002ef600', u'virtual_address': u'0x00cc8000', u'entropy': 7.617840162915499, u'name': u'V:D8)cUm', u'virtual_size': u'0x002ef574'} entropy 7.61784016292 description A section with a high entropy has been found
entropy 0.566465303119 description Overall entropy of this PE file is high
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.FGHR
Cylance Unsafe
CrowdStrike win/malicious_confidence_100% (W)
K7GW Spyware ( 005791d51 )
K7AntiVirus Spyware ( 005791d51 )
Arcabit Trojan.Agent.FGHR
Symantec Trojan.Gen.2
ESET-NOD32 a variant of Win64/Spy.Mekotio.P
APEX Malicious
Avast Win64:Trojan-gen
BitDefender Trojan.Agent.FGHR
AegisLab Trojan.Win32.Fghr.4!c
Rising Spyware.Mekotio!8.F5DF (CLOUD)
Ad-Aware Trojan.Agent.FGHR
Emsisoft Trojan.Agent.FGHR (B)
McAfee-GW-Edition BehavesLike.Win64.Softcnapp.wc
FireEye Generic.mg.ee03a7aafeaa2e4b
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
Webroot W32.Trojan.Gen
MAX malware (ai score=83)
Kingsoft Win32.Troj.Generic.a.(kcloud)
Gridinsoft Trojan.Heur!.02296202
Microsoft Trojan:Win32/Wacatac.B!ml
GData Trojan.Agent.FGHR
McAfee Artemis!EE03A7AAFEAA
Malwarebytes Malware.AI.4211687409
TrendMicro-HouseCall TROJ_FRS.VSNTDR21
Fortinet W64/Mekotio.P!tr.spy
AVG Win64:Trojan-gen