Analysis Date2018-05-20 02:36:08
MD5dc816d993ab0a02f7ee96c8d997113b8
SHA17d5123754d7f0676640836df474aaa0cc9d77dd4

Static Details:

AVArcabit (arcavir)Gen:Variant.Dropper.95
AVAuthentiumW32/Trojan.FTIL-8035
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/BAS.Upatre.jwrbk
AVAlwil (avast)Trojan-gen
AVAlwil (avast)Win32:Trojan-gen
AVAd-AwareGen:Variant.Dropper.95
AVBitDefenderGen:Variant.Dropper.95
AVBullGuardGen:Variant.Dropper.95
AVClamAVWin.Trojan.Agent-1135852
AVDr. WebTrojan.Packed.3036
AVEmsisoftGen:Variant.Dropper.95
AVMicroWorld (escan)Gen:Variant.Dropper.95
AVCA (E-Trust Ino)Gen:Variant.Dropper.95
AVFortinetW32/Zbot.QNYM!tr
AVFrisk (f-prot)W32/Trojan3.GJF
AVF-SecureGen:Variant.Dropper.95
AVIkarusTrojan-Downloader.Win32.Upatre
AVK7Spyware ( 0040f78b1 )
AVKasperskyTrojan.Win32.Agent.ibbb
AVMalwareBytesBackdoor.Bot
AVMcafeeTrojan-FDFY!DC816D993AB0
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOError Scanning File
AVEset (nod32)Win32/TrojanDownloader.Small.AAB
AVPadvishNo Virus
AVCAT (quickheal)TrojanDownloader.Upatre.A6
AVRisingNo Virus
AV360 SafeBackdoor.Win32.Pushdo.J
AVSUPERAntiSpywareTrojan.Agent/Gen-Infector
AVSymantecDownloader
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojanDldr.Small.AAB.qsjc
AVVirusBlokAda (vba32)TrojanSpy.Zbot
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\7d5123754d7f0676640836df474aaa0cc9d77dd4.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\7d5123754d7f0676640836df474aaa0cc9d77dd4.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\budha.exe
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\MidiMapper_modLongMessage_RefCnt
Creates Mutex

Process
↳ C:\Users\Phil\AppData\Local\Temp\budha.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\wdmaud.drv
Creates FileC:\Windows\System32\wdmaud.drv
Creates FileC:\Users\Phil\AppData\Local\Temp\budha.exe
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\MidiMapper_modLongMessage_RefCnt
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f4d4645 77547a42 4e4d4573   GET /MFEwTzBNMEs
0x00000010 (00016)   77535441 4a426755 7244674d 43476755   wSTAJBgUrDgMCGgU
0x00000020 (00032)   41424252 76394768 4e51784c 5353474b   ABBRv9GhNQxLSSGK
0x00000030 (00048)   426e4d41 72505563 7348596f 76706751   BnMArPUcsHYovpgQ
0x00000040 (00064)   55784b65 78704873 73636672 62345575   UxKexpHsscfrb4Uu
0x00000050 (00080)   51646625 32464546 57434669 52414345   Qdf%2FEFWCFiRACE
0x00000060 (00096)   416f4251 55494141 41465468 584e7143   AoBQUIAAAFThXNqC
0x00000070 (00112)   34587370 77672533 44204854 54502f31   4Xspwg%3D HTTP/1
0x00000080 (00128)   2e310d0a 436f6e6e 65637469 6f6e3a20   .1..Connection: 
0x00000090 (00144)   4b656570 2d416c69 76650d0a 41636365   Keep-Alive..Acce
0x000000a0 (00160)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000000b0 (00176)   656e743a 204d6963 726f736f 66742d43   ent: Microsoft-C
0x000000c0 (00192)   72797074 6f415049 2f362e31 0d0a486f   ryptoAPI/6.1..Ho
0x000000d0 (00208)   73743a20 69737267 2e747275 73746964   st: isrg.trustid
0x000000e0 (00224)   2e6f6373 702e6964 656e7472 7573742e   .ocsp.identrust.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 332f7374 61746963   update/v3/static
0x00000020 (00032)   2f747275 73746564 722f656e 2f617574   /trustedr/en/aut
0x00000030 (00048)   68726f6f 7473746c 2e636162 20485454   hrootstl.cab HTT
0x00000040 (00064)   502f312e 310d0a43 61636865 2d436f6e   P/1.1..Cache-Con
0x00000050 (00080)   74726f6c 3a206d61 782d6167 65203d20   trol: max-age = 
0x00000060 (00096)   39313230 300d0a43 6f6e6e65 6374696f   91200..Connectio
0x00000070 (00112)   6e3a204b 6565702d 416c6976 650d0a41   n: Keep-Alive..A
0x00000080 (00128)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000090 (00144)   2d416765 6e743a20 4d696372 6f736f66   -Agent: Microsof
0x000000a0 (00160)   742d4372 7970746f 4150492f 362e310d   t-CryptoAPI/6.1.
0x000000b0 (00176)   0a486f73 743a2077 77772e64 6f776e6c   .Host: www.downl
0x000000c0 (00192)   6f61642e 77696e64 6f777375 70646174   oad.windowsupdat
0x000000d0 (00208)   652e636f 6d0d0a0d 0a474554 202f6d73   e.com....GET /ms
0x000000e0 (00224)   646f776e 6c6f6164 2f757064 6174652f   download/update/
0x000000f0 (00240)   76332f73 74617469 632f7472 75737465   v3/static/truste
0x00000100 (00256)   64722f65 6e2f6175 7468726f 6f747374   dr/en/authrootst
0x00000110 (00272)   6c2e6361 62204854 54502f31 2e310d0a   l.cab HTTP/1.1..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206d   Cache-Control: m
0x00000130 (00304)   61782d61 6765203d 20393132 30320d0a   ax-age = 91202..
0x00000140 (00320)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000150 (00336)   2d416c69 76650d0a 41636365 70743a20   -Alive..Accept: 
0x00000160 (00352)   2a2f2a0d 0a49662d 4d6f6469 66696564   */*..If-Modified
0x00000170 (00368)   2d53696e 63653a20 4672692c 20323220   -Since: Fri, 22 
0x00000180 (00384)   53657020 32303137 2032323a 30333a35   Sep 2017 22:03:5
0x00000190 (00400)   3220474d 540d0a49 662d4e6f 6e652d4d   2 GMT..If-None-M
0x000001a0 (00416)   61746368 3a202230 31346538 61636565   atch: "014e8acee
0x000001b0 (00432)   33336433 313a3022 0d0a5573 65722d41   33d31:0"..User-A
0x000001c0 (00448)   67656e74 3a204d69 63726f73 6f66742d   gent: Microsoft-
0x000001d0 (00464)   43727970 746f4150 492f362e 310d0a48   CryptoAPI/6.1..H
0x000001e0 (00480)   6f73743a 20777777 2e646f77 6e6c6f61   ost: www.downloa
0x000001f0 (00496)   642e7769 6e646f77 73757064 6174652e   d.windowsupdate.
0x00000200 (00512)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f726f6f 74732f64 7374726f   GET /roots/dstro
0x00000010 (00016)   6f746361 78332e70 37632048 5454502f   otcax3.p7c HTTP/
0x00000020 (00032)   312e310d 0a436f6e 6e656374 696f6e3a   1.1..Connection:
0x00000030 (00048)   204b6565 702d416c 6976650d 0a416363    Keep-Alive..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000050 (00080)   67656e74 3a204d69 63726f73 6f66742d   gent: Microsoft-
0x00000060 (00096)   43727970 746f4150 492f362e 310d0a48   CryptoAPI/6.1..H
0x00000070 (00112)   6f73743a 20617070 732e6964 656e7472   ost: apps.identr
0x00000080 (00128)   7573742e 636f6d0d 0a0d0a              ust.com....

0x00000000 (00000)   47455420 2f4d464d 77555442 504d4530   GET /MFMwUTBPME0
0x00000010 (00016)   77537a41 4a426755 7244674d 43476755   wSzAJBgUrDgMCGgU
0x00000020 (00032)   41424252 25324235 6d726e63 70717a25   ABBR%2B5mrncpqz%
0x00000030 (00048)   32465069 69494752 73467145 74594845   2FPiiIGRsFqEtYHE
0x00000040 (00064)   49585151 55714570 71597752 39336272   IXQQUqEpqYwR93br
0x00000050 (00080)   6d30546d 33706b56 6c372532 464f6f37   m0Tm3pkVl7%2FOo7
0x00000060 (00096)   4b454345 67506e52 46714a34 57503753   KECEgPnRFqJ4WP7S
0x00000070 (00112)   39787479 37456e65 514e736f 67253344   9xty7EneQNsog%3D
0x00000080 (00128)   25334420 48545450 2f312e31 0d0a436f   %3D HTTP/1.1..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000a0 (00160)   6c697665 0d0a4163 63657074 3a202a2f   live..Accept: */
0x000000b0 (00176)   2a0d0a55 7365722d 4167656e 743a204d   *..User-Agent: M
0x000000c0 (00192)   6963726f 736f6674 2d437279 70746f41   icrosoft-CryptoA
0x000000d0 (00208)   50492f36 2e310d0a 486f7374 3a206f63   PI/6.1..Host: oc
0x000000e0 (00224)   73702e69 6e742d78 332e6c65 7473656e   sp.int-x3.letsen
0x000000f0 (00240)   63727970 742e6f72 670d0a0d 0a         crypt.org....

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   160301                                ...

0x00000000 (00000)   160301                                ...


Strings