Source: uddisrw.exe |
ReversingLabs: Detection: 75% |
Source: uddisrw.exe |
Virustotal: Detection: 62% |
Perma Link |
Source: uddisrw.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00404F50 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
0_2_00404F50 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426ACC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, |
0_2_00426ACC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426ACC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, |
0_2_00426ACC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00420564 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, |
0_2_00420564 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00433E78 GetKeyboardState, |
0_2_00433E78 |
Source: uddisrw.exe |
Binary or memory string: vssadmin delete shadows /for=c: /all |
Source: uddisrw.exe |
Binary or memory string: vssadmin delete shadows /for=f: /all |
Source: uddisrw.exe |
Binary or memory string: vssadmin delete shadows /for=d: /all |
Source: uddisrw.exe |
Binary or memory string: vssadmin delete shadows /for=e: /all |
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: vssadmin delete shadows /for=c: /all |
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: vssadmin delete shadows /for=d: /all |
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: vssadmin delete shadows /for=e: /all |
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: vssadmin delete shadows /for=f: /all |
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: vssadmin delete shadows /for=c: /allvssadmin delete shadows /for=d: /allvssadmin delete shadows /for=e: /allvssadmin delete shadows /for=f: /allRDP Admin RestoreSystem Restore Points cleared!Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.comU |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00436DF4 NtdllDefWindowProc_A,GetCapture, |
0_2_00436DF4 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004514F4 NtdllDefWindowProc_A, |
0_2_004514F4 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0042842C NtdllDefWindowProc_A, |
0_2_0042842C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00446820 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
0_2_00446820 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00451C9C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
0_2_00451C9C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00451D4C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
0_2_00451D4C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00446820 |
0_2_00446820 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0044B9EC |
0_2_0044B9EC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: String function: 00403E4C appears 68 times |
|
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: String function: 00405F08 appears 61 times |
|
Source: uddisrw.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: uddisrw.exe |
Static PE information: Section: UPX1 ZLIB complexity 0.9916666666666667 |
Source: classification engine |
Classification label: mal60.rans.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041D9EC GetLastError,FormatMessageA, |
0_2_0041D9EC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004082EA GetDiskFreeSpaceA, |
0_2_004082EA |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00413670 FindResourceA, |
0_2_00413670 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\uddisrw.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: uddisrw.exe |
ReversingLabs: Detection: 75% |
Source: uddisrw.exe |
Virustotal: Detection: 62% |
Source: C:\Users\user\Desktop\uddisrw.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uddisrw.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uddisrw.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00425A1C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0043E388 push 0043E415h; ret |
0_2_0043E40D |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004261A8 push 004261F7h; ret |
0_2_004261EF |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426250 push 0042627Ch; ret |
0_2_00426274 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426218 push 00426244h; ret |
0_2_0042623C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004262C8 push 004262F4h; ret |
0_2_004262EC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004242EC push 00424318h; ret |
0_2_00424310 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426290 push 004262BCh; ret |
0_2_004262B4 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004242AC push 004242D8h; ret |
0_2_004242D0 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426300 push 0042632Ch; ret |
0_2_00426324 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0043E320 push 0043E386h; ret |
0_2_0043E37E |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426338 push 00426364h; ret |
0_2_0042635C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004263F0 push 0042641Ch; ret |
0_2_00426414 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00426380 push 004263ACh; ret |
0_2_004263A4 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004263B8 push 004263E4h; ret |
0_2_004263DC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004105D2 push 0041064Ah; ret |
0_2_00410642 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004105D4 push 0041064Ah; ret |
0_2_00410642 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041064C push 004106F4h; ret |
0_2_004106EC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041A686 push 0041A733h; ret |
0_2_0041A72B |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041A688 push 0041A733h; ret |
0_2_0041A72B |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041A738 push 0041A7C8h; ret |
0_2_0041A7C0 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004107E0 push 0041080Ch; ret |
0_2_00410804 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004067F4 push ecx; mov dword ptr [esp], eax |
0_2_004067F5 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0042886C push 004288AFh; ret |
0_2_004288A7 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004288E4 push 00428910h; ret |
0_2_00428908 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0042891C push 00428954h; ret |
0_2_0042894C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00412938 push ecx; mov dword ptr [esp], edx |
0_2_0041293D |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004069D8 push 00406A04h; ret |
0_2_004069FC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004289B0 push 004289DCh; ret |
0_2_004289D4 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041AA50 push 0041AA80h; ret |
0_2_0041AA78 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041AA54 push 0041AA80h; ret |
0_2_0041AA78 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00406A10 push 00406A3Ch; ret |
0_2_00406A34 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0045157C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
0_2_0045157C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00438518 IsIconic,GetCapture, |
0_2_00438518 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0044E5A4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
0_2_0044E5A4 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00438DCC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
0_2_00438DCC |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_004396F0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
0_2_004396F0 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00451C9C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
0_2_00451C9C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00451D4C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
0_2_00451D4C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00423D64 IsIconic,GetWindowPlacement,GetWindowRect, |
0_2_00423D64 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00425A1C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0042D70C |
0_2_0042D70C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, |
0_2_00450AEC |
Source: C:\Users\user\Desktop\uddisrw.exe |
API coverage: 5.9 % |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0042D70C |
0_2_0042D70C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00404F50 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, |
0_2_00404F50 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0041DF7C GetSystemInfo, |
0_2_0041DF7C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00425A1C |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
0_2_00405108 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetLocaleInfoA,GetACP, |
0_2_0040C228 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetLocaleInfoA, |
0_2_0040ABC0 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetLocaleInfoA, |
0_2_0040AC0C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetLocaleInfoA, |
0_2_004059FE |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: GetLocaleInfoA, |
0_2_00405A00 |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0040965C GetLocalTime, |
0_2_0040965C |
Source: C:\Users\user\Desktop\uddisrw.exe |
Code function: 0_2_0043E388 GetVersion, |
0_2_0043E388 |