Analysis Date2017-07-14 23:32:06
MD552d6ffedb3078e8b928a329a69b4333e
SHA1bbed7ebf81b7c57044aee57f4ddf9f44019313f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 791799c54171a5ebfbf278a4f374a193 sha1: 5db23bfcf3c863d5a8eec76d0673bbf559effeec size: 2560
Section.data md5: d447e459653b50488035fa0eeb73205e sha1: 247a07d59dfdeacbc7632ff820aeb5d980df6839 size: 512
Section.xcpad md5: sha1: size:
Section.idata md5: 41e0574f20f21f653aa920261dd7710c sha1: 63a97f03e700c27b1faeb452a2c26c9a4e22c0f2 size: 1536
Section.reloc md5: sha1: size:
Section.rsrc md5: 3a5ce84acf065afa8eb57ef1e71c0c7b sha1: adb7311758780baa7404f91a4a32e4f346138407 size: 7680
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash2882965f02737a1b501e426c9c6b57a3
AV360 SafeNo Virus
AVAd-AwareTrojan.GenericKD.1416345
AVAlwil (avast)Crypt-QFY [Trj]
AVArcabit (arcavir)Trojan.GenericKD.1416345
AVAuthentiumW32/Trojan.RULM-9121
AVAvira (antivir)TR/Rogue.AI.11221
AVBitDefenderTrojan.GenericKD.1416345
AVBullGuardTrojan.GenericKD.1416345
AVCA (E-Trust Ino)Trojan.GenericKD.1416345
AVCAT (quickheal)TrojanDownloader.Upatre.A5
AVClamAVWin.Trojan.Agent-1123801
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftTrojan.GenericKD.1416345
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVF-SecureTrojan.GenericKD.1416345
AVFortinetW32/Zbot.HFQ!tr
AVFrisk (f-prot)W32/Trojan3.GPA
AVGrisoft (avg)Crypt2.BXXF
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Trojan-Downloader ( 0040f6bd1 )
AVKasperskyTrojan-Downloader.Win32.Agent.hdsz
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeePWSZbot-FMO!52D6FFEDB307
AVMicroWorld (escan)Trojan.GenericKD.1416345
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre
AVNANOTrojan.Win32.Agent.cqixup
AVPadvishNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-FakePDF
AVSymantecDownloader
AVTrend MicroTROJ_UPATRE.SMJ8
AVTwisterTrojanDldr.Waski.A.rmgu
AVVirusBlokAda (vba32)TrojanDownloader.Agent
AVWindows DefenderTrojanDownloader:Win32/Upatre
AVZillya!Downloader.Agent.Win32.182483

Runtime Details:

Screenshot

Process
↳ C:\bbed7ebf81b7c57044aee57f4ddf9f44019313f3.exe

Creates Filemciwave.dll
Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\bbed7ebf81b7c57044aee57f4ddf9f44019313f3.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\WINDOWS\Registration\R000000000007.clb
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\budha.exe
Creates Mutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\BaseClass ➝
Drive\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\BaseClass ➝
Drive\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ➝
C:\Documents and Settings\All Users\Documents\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ➝
C:\Documents and Settings\All Users\Desktop\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe ➝
budha\\x00

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\budha.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths ➝
4
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache2\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache4\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ➝
C:\Documents and Settings\All Users\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
Creates Mutexc:!documents and settings!admin!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!admin!cookies!
Creates Mutexc:!documents and settings!admin!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexRasPbFile
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
Creates FileC:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Admin\Cookies\index.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\system32\userenv.dll
Creates FileC:\WINDOWS\system32\userenv.dll
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat

Network Details:


Raw Pcap

Strings
 s`K
s<+K
@&+K
JRQQQ[
 7`K
 s`K
s.+K
sQ+K
 g`K
H%+K
#jif
 W^K
 ?^K
 /^K
 +^K
 O^K
 S^K
 +^K
 K^K
 [^K
 _^@
~H_:
|v,M
v'qn
(|"
5B @
Ph% @
PRFT
SSCL
CreateWindowExA
LoadCursorA
TranslateMessage
set waveaudio door open
LoadLibraryExA
user32.dll
mciSendStringA
Winmm.dll
r5Ht
user32.dll
GDI32.dll
Msacm32.dll
ADVAPI32.dll
IMM32.dll
kernel32.dll
GetModuleHandleA
GetProcAddress
HeapCreate
HeapAlloc
ExitProcess
FreeLibrary
GetMessageA
DefWindowProcA
PostQuitMessage
GetForegroundWindow
SetForegroundWindow
GetDoubleClickTime
GetQueueStatus
LoadIconA
RegisterClassA
RegQueryValueExA
RegOpenKeyA
GetUserNameA
CopySid
GetLengthSid
IntersectClipRect
ExcludeClipRect
UpdateColors
GetTextExtentPoint32A
CreateCompatibleDC
DeleteObject
TextOutA
SetBkColor
SetTextColor
Rectangle
CreateSolidBrush
GetStockObject
CreateFontIndirectA
GetTextExtentExPointA
GetTextMetricsA
CreateFontA
RealizePalette
ImmGetCompositionStringW
ImmSetCompositionFontA
ImmGetContext
ImmSetCompositionWindow
acmStreamOpen
acmDriverPriority
####
#######
####
4,##########
#########
#####,
,######,
#####2
######2#
JC44K
xXMt7
#######2#J
########2,
2U{DY]]F
####
########2#CzzC2#
####
2222222222,R R
##,,,,######
2222222222#C%
,22#2222######
22222222222,
#2#############
22222222222<K
K#2#2###########
22222222222<
,222##2#########
22222222
,42222##2#######
i,42222222#######
i<22222222#######
222222222####
22222222222##
$$$$$$$$
222222222#
$$$$$$
$$$$,
dk<4
22222222
++$$
2222222
888888888&8&&
9=======))))))))))))))))pp)))
<$$$$$
9:::::::3>333W>>>33W>33333333>
******
m-------M
7-7M
o77on7-------E
*T11II11
:(((((-Mt
7-(-((-E
L((((((Z}
((((((E
1G;?????
-555555Zx
lZF5555F5XN
(555555Z}2
4DPKDP#4
F05550qN
5000000u~4Y
K~4YSKrRK
~0000060
4wjj
bg;T
0%%%%%%
`%%%%%
ubg^T
%%%%%%%%`ad
%Had
%%%%%%`
bg^T#
%%%%%%%%%BB%%%BB%HH%BB%HHHHH%H
H///////'''''''''''''''''''''/
.................f.
$&&&
&&&&&
&&&&$$$&
$$$$$$$
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
%xn;
?I-3
(f;_
K!5m
[E3L
e( &
	=Z
;5Jj
*o0Z
-cJ,
jyjM
t	N