Analysis Date2016-11-16 02:55:40
MD5df99e5d6102835b7fa9c9054f063e3e8
SHA138005968cfd32cd6279f5bf43c92a0f5133f39dc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 142169f4370d9ad27278011955ffe026 sha1: fd27705936ffda591ec5f6b03faa0333a4027f48 size: 10240
Section.data md5: 6623b31aba4b2f70c19c33e6b8854591 sha1: c689da6cb654fc432eca233ae2b2ebbc01e6dcd2 size: 3072
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: ee9f6ebb3e93daeb44407b19b047a309 sha1: 2ce19eb78285f5ad756b23b7a8b594e7dacd05ae size: 1024
Section.rsrc md5: 1bcd61cab10fad5f350fc4a5382e1b6f sha1: 81cb74ccf5c9addbf2fbb944e407e8135424bca6 size: 20480
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C 2.0
PEhash
IMPhashec5885042cc2b33d72a078126ecee5b3
AV360 SafeNo Virus
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)?
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAuthentiumW32/Upatre.CC.gen!Eldorado
AVAvira (antivir)TR/Yarwi.qeuvz
AVBitDefenderTrojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)Trojan.Upatre.Gen.3
AVCAT (quickheal)Trojan.Kadena.B4
AVClamAVWin.Trojan.Upatre-6092
AVDr. WebTrojan.DownLoader19.14874
AVEmsisoftTrojan.Upatre.Gen.3
AVEset (nod32)Win32/Kryptik.DQXG
AVF-SecureTrojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DQAA!tr
AVFrisk (f-prot)W32/Upatre.CC.gen!Eldorado
AVGrisoft (avg)Generic_s.FAG
AVIkarusTrojan.VB.Crypt
AVK7Trojan ( 004ce6cb1 )
AVKasperskyTrojan-Downloader.Win32.Upatre.dwgq
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FACH!DF99E5D61028
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMicrosoft Security EssentialsNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Upatre
AVSymantecDownloader.Upatre!gen5
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojan.Girtk.DQXG.akgf
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVWindows DefenderTrojanDownloader:Win32/Upatre!rfn
AVZillya!Downloader.CTBLocker.Win32.12

Runtime Details:

Screenshot

Process
↳ C:\38005968cfd32cd6279f5bf43c92a0f5133f39dc.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\38005968cfd32cd6279f5bf43c92a0f5133f39dc.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\ofylywo.exe

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\ofylywo.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\ofylywo.exe
Creates FileC:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Admin\Cookies\index.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths ➝
4
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache2\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache4\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ➝
C:\Documents and Settings\All Users\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
Creates Mutex_!MSFTHISTORY!_
Creates Mutexc:!documents and settings!admin!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!admin!cookies!
Creates Mutexc:!documents and settings!admin!local settings!history!history.ie5!
Creates MutexWininetStartupMutex
Creates MutexWininetConnectionMutex
Creates Mutex
Creates MutexWininetProxyRegistryMutex
Creates Mutex
Creates MutexRasPbFile
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e312920 4170706c 65576562   NT 6.1) AppleWeb
0x00000060 (00096)   4b69742f 3533352e 33362028 4b48544d   Kit/535.36 (KHTM
0x00000070 (00112)   4c2c206c 696b6520 4765636b 6f292043   L, like Gecko) C
0x00000080 (00128)   68726f6d 652f3434 2e302e32 3435352e   hrome/44.0.2455.
0x00000090 (00144)   38312053 61666172 692f3533 352e3336   81 Safari/535.36
0x000000a0 (00160)   0d0a486f 73743a20 63686563 6b69702e   ..Host: checkip.
0x000000b0 (00176)   64796e64 6e732e6f 72670d0a 43616368   dyndns.org..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a                       che....


Strings
<8~X
Ew!B
TZJ[z
o(z_VY
[H6Z
>jC}
|{0g
U[Bi
@!bI
o$GL
TZM{
[C@!
W\>v![
;N4!
Pj|{
8{X<
hZo`
(&Sy
 RJ/
b/D@
nu,4
U/D@
[s4)
O`z_VY
TZZY
bCZj
UWQ_
FFFF
@jTj
t	VW
IIII
IIII
Virt^_
ZJFRF
^NNNN
GHHGH
^H9E
_^[]
/un8H
</uy8A
jdh@[@
h8U@
hDU@
5+U@
j h,
j<h,
hhU@
5+U@
@hXU@
h`U@
5+U@
@h\D@
hxU@
5+U@
@h]D@
hhU@
5+U@
h`U@
h`D@
%0@@
%,@@
%(@@
%$@@
% @@
%4@@
VC20XC00U
SVWU
t:VU
t(x1
]_^[
>a 3F0H^ N->PK/
NppHelpAbsentWarning
DocReloadWarning
A-b;2@5(_`f+^Y#AA]
#Z?OXf]Z9<:HhE>K$M
\*S1aTCNKY>
thought of it since then - that he had a charm
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadCursorA
LoadIconA
LoadStringA
UpdateWindow
ShowWindow
CreateWindowExA
PostMessageA
PostQuitMessage
DefWindowProcA
DestroyWindow
EndPaint
DrawTextA
GetClientRect
BeginPaint
SendMessageA
USER32.dll
GlobalSize
SizeofResource
CreateThread
WaitForSingleObject
GlobalAlloc
FindNextFileW
Sleep
FindFirstFileW
FindClose
LoadLibraryA
GetModuleHandleA
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
GradientFill
AlphaBlend
MSIMG32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
_exit
_XcptFilter
exit
_acmdln_dll
_initterm
__GetMainArgs
_commode_dll
_fmode_dll
CRTDLL.dll
_global_unwind2
_local_unwind2
GetStartupInfoA
mIHpqYSemmbYjh
)#my
:m%zg
CannotMoveDoc
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+.,:?&@=/%#()
9	?	(	M	&	@
gmVeOJcXsBInWnpgXWdh_BYfXQd
_k^[kdfC]TKmCcDc]
Magnetick
Charge Window App
EXIT
button
edit
static
richedit
ABCDEFG
riched32.dll
ffffff
aGGDDV
tttDP`
twGD``awwGtu
PawwwGE
PffffffWP
GtwwwP
www30www
wwwwwx
wwwwr
wwwwww
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
	<assemblyIdentity version="1.0.4.37"
		processorArchitecture="X86"
		name="COOTEK"
		type="win32"/>
	<description>COOTEK</description>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
		<security>
			<requestedPrivileges>
				<requestedExecutionLevel
					level="asInvoker"
					uiAccess="false"/>
				</requestedPrivileges>
		</security>
	</trustInfo>
</assembly>
= =8=C=K=Q=[=
?:???G?L?T?q?v?~?
0.0A0Q0Z0g0
1/141Y1m1
2.23292F2Q2V2o2
2P3V3^3d3j3p3v3P4V4
4)4-454=4A4