Analysis Date2018-05-20 00:12:00
MD5c2fb8a8cc230f3fdd492afaa5cc6337c
SHA12d0d8a39f5559c24d5e42f6bd154c0f81499939e

Static Details:

AVArcabit (arcavir)Trojan.GenericKD.1669777
AVAuthentiumW32/Trojan.IFWB-0003
AVGrisoft (avg)Downloader.Generic13.CCYH
AVAvira (antivir)TR/Crypt.ZPACK.68501
AVAlwil (avast)Trojan-gen
AVAlwil (avast)Win32:Trojan-gen
AVAd-AwareTrojan.GenericKD.1669777
AVBitDefenderTrojan.GenericKD.1669777
AVBullGuardTrojan.GenericKD.1669777
AVClamAVWin.Trojan.Generickd-148
AVDr. WebTrojan.DownLoad3.33289
AVEmsisoftTrojan.GenericKD.1669777
AVMicroWorld (escan)Trojan.GenericKD.1669777
AVCA (E-Trust Ino)Trojan.GenericKD.1669777
AVFortinetW32/Bublik.CMYI!tr
AVFrisk (f-prot)W32/Trojan3.IGS
AVF-SecureTrojan.GenericKD.1669777
AVIkarusTrojan-Spy.Zbot
AVK7Error Scanning File
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader.UPT
AVMcafeePWSZbot-FMO!C2FB8A8CC230
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOTrojan.Win32.Bublik.cxixoz
AVEset (nod32)Win32/TrojanDownloader.Waski.B
AVPadvishNo Virus
AVCAT (quickheal)TrojanDwnldr.Upatre.MUE.A3
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareError Scanning File
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojan.Generic.hice
AVVirusBlokAda (vba32)Trojan.Deserfecat
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\2d0d8a39f5559c24d5e42f6bd154c0f81499939e.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\2d0d8a39f5559c24d5e42f6bd154c0f81499939e.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\budha.exe
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\MidiMapper_modLongMessage_RefCnt
Creates Mutex

Process
↳ C:\Users\Phil\AppData\Local\Temp\budha.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\budha.exe
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\MidiMapper_modLongMessage_RefCnt
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f617574   /trustedr/en/aut
0x00000030 (00048)   68726f6f 7473746c 2e636162 20485454   hrootstl.cab HTT
0x00000040 (00064)   502f312e 310d0a43 61636865 2d436f6e   P/1.1..Cache-Con
0x00000050 (00080)   74726f6c 3a206d61 782d6167 65203d20   trol: max-age = 
0x00000060 (00096)   31313736 30320d0a 436f6e6e 65637469   117602..Connecti
0x00000070 (00112)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000080 (00128)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000090 (00144)   722d4167 656e743a 204d6963 726f736f   r-Agent: Microso
0x000000a0 (00160)   66742d43 72797074 6f415049 2f362e31   ft-CryptoAPI/6.1
0x000000b0 (00176)   0d0a486f 73743a20 7777772e 646f776e   ..Host: www.down
0x000000c0 (00192)   6c6f6164 2e77696e 646f7773 75706461   load.windowsupda
0x000000d0 (00208)   74652e63 6f6d0d0a 0d0a                te.com....

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303134 2f30352f   uploads/2014/05/
0x00000020 (00032)   30373035 55536d70 2e656e63 20485454   0705USmp.enc HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a2074   P/1.1..Accept: t
0x00000040 (00064)   6578742f 2a2c2061 70706c69 63617469   ext/*, applicati
0x00000050 (00080)   6f6e2f2a 0d0a5573 65722d41 67656e74   on/*..User-Agent
0x00000060 (00096)   3a205570 64617465 7320646f 776e6c6f   : Updates downlo
0x00000070 (00112)   61646572 0d0a486f 73743a20 7475636b   ader..Host: tuck
0x00000080 (00128)   65727370 72696465 2e636f6d 0d0a4361   erspride.com..Ca
0x00000090 (00144)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000a0 (00160)   63616368 650d0a0d 0ad81d20 b5aad0fe   cache...... ....
0x000000b0 (00176)   c3188a70 2fa15941 0bfbfc93 41ba10f0   ...p/.YA....A...
0x000000c0 (00192)   ffcbee35 f3c75ce7 78a71727 7f7b56d6   ...5..\.x..'.{V.
0x000000d0 (00208)   941f4da9 468cb5ca c9a0370b 47afcc36   ..M.F.....7.G..6
0x000000e0 (00224)   34ffdd47 7c0546e6 3cd71403 01         4..G|.F.<....

0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424254 6671684c 6a4b4c45 4a515a50   ABBTfqhLjKLEJQZP
0x00000030 (00048)   696e304b 437a6b64 41517056 596f7751   in0KCzkdAQpVYowQ
0x00000040 (00064)   55735437 44615150 34763063 42314a67   UsT7DaQP4v0cB1Jg
0x00000050 (00080)   6d476767 4337324e 6b4b384d 43454150   mGggC72NkK8MCEAP
0x00000060 (00096)   25324237 78753174 6b67306d 69435644   %2B7xu1tkg0miCVD
0x00000070 (00112)   3476476c 314d2533 44204854 54502f31   4vGl1M%3D HTTP/1
0x00000080 (00128)   2e310d0a 436f6e6e 65637469 6f6e3a20   .1..Connection: 
0x00000090 (00144)   4b656570 2d416c69 76650d0a 41636365   Keep-Alive..Acce
0x000000a0 (00160)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000000b0 (00176)   656e743a 204d6963 726f736f 66742d43   ent: Microsoft-C
0x000000c0 (00192)   72797074 6f415049 2f362e31 0d0a486f   ryptoAPI/6.1..Ho
0x000000d0 (00208)   73743a20 6f637370 2e646967 69636572   st: ocsp.digicer
0x000000e0 (00224)   742e636f 6d0d0a0d 0ad71403 01         t.com........


Strings