Analysis Date2016-11-15 12:01:32
MD5cd0bdf69d72096d2a73e411f1a67b7f8
SHA15ad907e357b7afc489ce90a35bd8933457df4a6a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 303bb110f798333c0152c074ad69e1ba sha1: 65da152cd540535a624109777a6ae574ce748f39 size: 10240
Section.data md5: e28b0e23dec5395a0e2acd771cda03ca sha1: 676ac38b4756c71c46d73ff9224295f388509894 size: 3072
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: 9bb4c38345643d95dc119116fce7f50a sha1: 0d766cb6c951691d854f34c1f32a9c2b158323c5 size: 1024
Section.rsrc md5: 8ee711055af87f3bbb31d9aa494d92de sha1: 1d5555ce244a8a47c4127a3c51a6b7a47c7a9990 size: 20480
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C 2.0
PEhash
IMPhashec5885042cc2b33d72a078126ecee5b3
AV360 SafeNo Virus
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)?
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAuthentiumW32/Upatre.CC.gen!Eldorado
AVAvira (antivir)TR/Yarwi.yxytn
AVBitDefenderTrojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)Trojan.Upatre.Gen.3
AVCAT (quickheal)Trojan.Kadena.B4
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader22.2184
AVEmsisoftTrojan.Upatre.Gen.3
AVEset (nod32)Win32/Kryptik.DQXG
AVF-SecureTrojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DQAA!tr
AVFrisk (f-prot)W32/Upatre.CC.gen!Eldorado
AVGrisoft (avg)Generic_s.FAG
AVIkarusTrojan.VB.Crypt
AVK7Trojan ( 004ce6cb1 )
AVKasperskyTrojan-Downloader.Win32.Upatre.dwge
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FACH!CD0BDF69D720
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Upatre
AVSymantecDownloader.Upatre!gen5
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojan.Girtk.DQXG.wtgq
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVWindows DefenderTrojanDownloader:Win32/Upatre!rfn
AVZillya!Downloader.CTBLocker.Win32.12

Runtime Details:

Screenshot

Process
↳ C:\5ad907e357b7afc489ce90a35bd8933457df4a6a.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\5ad907e357b7afc489ce90a35bd8933457df4a6a.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\ofylywo.exe

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\ofylywo.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths ➝
4
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache2\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache4\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ➝
C:\Documents and Settings\All Users\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
Creates Mutex_!MSFTHISTORY!_
Creates Mutexc:!documents and settings!admin!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!admin!cookies!
Creates Mutexc:!documents and settings!admin!local settings!history!history.ie5!
Creates MutexWininetStartupMutex
Creates MutexWininetConnectionMutex
Creates Mutex
Creates MutexWininetProxyRegistryMutex
Creates Mutex
Creates MutexRasPbFile
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
Creates Mutex
Creates FileC:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Admin\Cookies\index.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat

Network Details:


Raw Pcap

Strings
j#od
"bA#_+\0O:
.cf~
8o*_v
A"o)]
F_vf
G_vns
P_+|
s1s]
{UO:
3]Nv
<N.m
Q_+}
Uaq)C)f
j_+b7
o*]3	6
#_vJ
o;]1
~_+_1s:K
Tn F
_9!Fnq
]vbCl
q)Cb25
s)#S
[FZBl
{nS
ZkA2
qnh.6
3I>t`
B;@}
7A2=`
:q!O
UWQ_
FFFF
t	VW
IIII
IIII
Virt^_
ZJFRF
^NNNN
GHHGH
^H9E
_^[]
/un8H
</uy8A
jdhP[@
hDU@
hPU@
58U@
j h,
j<h,
htU@
58U@
@hdU@
hlU@
58U@
@hXD@
58U@
@hYD@
htU@
58U@
hlU@
h\D@
%0@@
%,@@
%(@@
%$@@
% @@
%4@@
VC20XC00U
SVWU
t:VU
t(x1
]_^[
`\"X?<>4@OH`+0?/
NppHelpAbsentWarning
DocReloadWarning
ATD813,d;[Q#b$
mTF8TjHia.1>JgT<B4
#JheRHlAB")Ch%
thought of it since then - that he had a charm
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadCursorA
LoadIconA
LoadStringA
UpdateWindow
ShowWindow
CreateWindowExA
PostMessageA
PostQuitMessage
DefWindowProcA
DestroyWindow
EndPaint
DrawTextA
GetClientRect
BeginPaint
SendMessageA
USER32.dll
GlobalSize
SizeofResource
CreateThread
WaitForSingleObject
GlobalAlloc
FindNextFileW
Sleep
FindFirstFileW
FindClose
LoadLibraryA
GetModuleHandleA
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
GradientFill
AlphaBlend
MSIMG32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
_exit
_XcptFilter
exit
_acmdln_dll
_initterm
__GetMainArgs
_commode_dll
_fmode_dll
CRTDLL.dll
_global_unwind2
_local_unwind2
GetStartupInfoA
YRmgDLk\PjDR[SCiA
CannotMoveDoc
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+.,:?&@=/%#()
9	?	(	M	&	@
aKfEGGdilb\c]kTY\^DFTcKL`^GKoNi\m\E
DWA^CCc_Xok[T]cdhO
Magnetick
Charge Window App
EXIT
button
edit
static
richedit
ABCDEFG
riched32.dll
ffffff
aGGDDV
tttDP`
twGD``awwGtu
PawwwGE
PffffffWP
GtwwwP
www30www
wwwwwx
wwwwr
wwwwww
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
	<assemblyIdentity version="1.0.4.37"
		processorArchitecture="X86"
		name="COOTEK"
		type="win32"/>
	<description>COOTEK</description>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
		<security>
			<requestedPrivileges>
				<requestedExecutionLevel
					level="asInvoker"
					uiAccess="false"/>
				</requestedPrivileges>
		</security>
	</trustInfo>
</assembly>
= =8=C=K=Q=[=
?:???G?L?T?q?v?~?
0.0A0Q0Z0g0
1/141Y1m1
2.23292F2Q2V2o2
2P3V3^3d3j3p3v3P4V4
4&4*424:4>4