Analysis Date2017-07-14 22:34:21
MD5492948f31d5c66f54fe2cdc92f11cd83
SHA11075b953b596d353b0b8718ee79580069b16f30b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 791799c54171a5ebfbf278a4f374a193 sha1: 5db23bfcf3c863d5a8eec76d0673bbf559effeec size: 2560
Section.data md5: d447e459653b50488035fa0eeb73205e sha1: 247a07d59dfdeacbc7632ff820aeb5d980df6839 size: 512
Section.xcpad md5: sha1: size:
Section.idata md5: 41e0574f20f21f653aa920261dd7710c sha1: 63a97f03e700c27b1faeb452a2c26c9a4e22c0f2 size: 1536
Section.reloc md5: sha1: size:
Section.rsrc md5: 3a5ce84acf065afa8eb57ef1e71c0c7b sha1: adb7311758780baa7404f91a4a32e4f346138407 size: 7680
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash2882965f02737a1b501e426c9c6b57a3
AV360 SafeNo Virus
AVAd-AwareTrojan.GenericKD.1416345
AVAlwil (avast)Crypt-QFY [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1416345
AVAuthentiumW32/Trojan.RULM-9121
AVAvira (antivir)TR/Rogue.AI.11221
AVBitDefenderTrojan.GenericKD.1416345
AVBullGuardTrojan.GenericKD.1416345
AVCA (E-Trust Ino)Trojan.GenericKD.1416345
AVCAT (quickheal)TrojanDownloader.Upatre.A5
AVClamAVWin.Trojan.Agent-1123801
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1416345
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVF-SecureTrojan.GenericKD.1416345
AVFortinetW32/Zbot.HFQ!tr
AVFrisk (f-prot)W32/Trojan3.GPA
AVGrisoft (avg)Crypt2.BXXF
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Error Scanning File
AVKasperskyTrojan-Downloader.Win32.Agent.hdsz
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeePWSZbot-FMO!492948F31D5C
AVMicroWorld (escan)Trojan.GenericKD.1416345
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOTrojan.Win32.Agent.cqixup
AVPadvishNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Zbot
AVSymantecDownloader
AVTrend MicroTROJ_UPATRE.SMJ8
AVTwisterTrojanDldr.Waski.A.rmgu
AVVirusBlokAda (vba32)TrojanDownloader.Agent
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe

Creates Filemciwave.dll
Creates FileC:\WINDOWS\system32\mciwave.dll
Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe

Process
↳ C:\1075b953b596d353b0b8718ee79580069b16f30b.exe

Creates Filemciwave.dll
Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\1075b953b596d353b0b8718ee79580069b16f30b.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\WINDOWS\Registration\R000000000007.clb
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates Mutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass ➝
Drive\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass ➝
Drive\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ➝
C:\Documents and Settings\All Users\Documents\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ➝
C:\Documents and Settings\All Users\Desktop\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe ➝
budha\\x00

Network Details:


Raw Pcap

Strings
 s`K
s<+K
@&+K
JRQQQ[
 7`K
 s`K
s.+K
sQ+K
 g`K
H%+K
#jif
 W^K
 ?^K
 /^K
 +^K
 O^K
 S^K
 +^K
 K^K
 [^K
 _^@
~H_:
|v,M
v'qn
(|"
5B @
Ph% @
PRFT
SSCL
CreateWindowExA
LoadCursorA
TranslateMessage
set waveaudio door open
LoadLibraryExA
user32.dll
mciSendStringA
Winmm.dll
r5Ht
user32.dll
GDI32.dll
Msacm32.dll
ADVAPI32.dll
IMM32.dll
kernel32.dll
GetModuleHandleA
GetProcAddress
HeapCreate
HeapAlloc
ExitProcess
FreeLibrary
GetMessageA
DefWindowProcA
PostQuitMessage
GetForegroundWindow
SetForegroundWindow
GetDoubleClickTime
GetQueueStatus
LoadIconA
RegisterClassA
RegQueryValueExA
RegOpenKeyA
GetUserNameA
CopySid
GetLengthSid
IntersectClipRect
ExcludeClipRect
UpdateColors
GetTextExtentPoint32A
CreateCompatibleDC
DeleteObject
TextOutA
SetBkColor
SetTextColor
Rectangle
CreateSolidBrush
GetStockObject
CreateFontIndirectA
GetTextExtentExPointA
GetTextMetricsA
CreateFontA
RealizePalette
ImmGetCompositionStringW
ImmSetCompositionFontA
ImmGetContext
ImmSetCompositionWindow
acmStreamOpen
acmDriverPriority
####
#######
####
4,##########
#########
#####,
,######,
#####2
######2#
JC44K
xXMt7
#######2#J
########2,
2U{DY]]F
####
########2#CzzC2#
####
2222222222,R R
##,,,,######
2222222222#C%
,22#2222######
22222222222,
#2#############
22222222222<K
K#2#2###########
22222222222<
,222##2#########
22222222
,42222##2#######
i,42222222#######
i<22222222#######
222222222####
22222222222##
$$$$$$$$
222222222#
$$$$$$
$$$$,
dk<4
22222222
++$$
2222222
888888888&8&&
9=======))))))))))))))))pp)))
<$$$$$
9:::::::3>333W>>>33W>33333333>
******
m-------M
7-7M
o77on7-------E
*T11II11
:(((((-Mt
7-(-((-E
L((((((Z}
((((((E
1G;?????
-555555Zx
lZF5555F5XN
(555555Z}2
4DPKDP#4
F05550qN
5000000u~4Y
K~4YSKrRK
~0000060
4wjj
bg;T
0%%%%%%
`%%%%%
ubg^T
%%%%%%%%`ad
%Had
%%%%%%`
bg^T#
%%%%%%%%%BB%%%BB%HH%BB%HHHHH%H
H///////'''''''''''''''''''''/
.................f.
$&&&
&&&&&
&&&&$$$&
$$$$$$$
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
%xn;
?I-3
(f;_
K!5m
[E3L
e( &
	=Z
;5Jj
*o0Z
-cJ,
jyjM
t	N