Analysis Date2016-11-16 02:30:46
MD5e5b14507c96ab1b96c245d0ecd3e720f
SHA15bcc85a09b49f9ecd403e64d374d7d8459407652

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 020fed93b357e0bde1a193f4c0558f80 sha1: 46bdf93ab52ac060f53f35e302ce194cf3cf6d94 size: 10240
Section.data md5: 1b73ce98820e4adcda9a301a145a0bc3 sha1: 0906732e535fafc178596fb6fdff6735f1d01f66 size: 3072
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: 4338c6405212561091ff364f9032fa88 sha1: 8c0a748e3e8a7310dacdca71932fc9f22e20cf17 size: 1024
Section.rsrc md5: 27094e14de42b975631c313a3a517791 sha1: d0b2400e7f9875f6f0b2dd1bcb63b222687fbb46 size: 20480
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C 2.0
PEhash
IMPhashec5885042cc2b33d72a078126ecee5b3
AV360 SafeNo Virus
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)?
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAuthentiumW32/Upatre.CC.gen!Eldorado
AVAvira (antivir)TR/Yarwi.bntdj
AVBitDefenderTrojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)Trojan.Upatre.Gen.3
AVCAT (quickheal)Trojan.Kadena.B4
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader22.18365
AVEmsisoftTrojan.Upatre.Gen.3
AVEset (nod32)Win32/Kryptik.DQXG
AVF-SecureTrojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DQAA!tr
AVFrisk (f-prot)W32/Upatre.CC.gen!Eldorado
AVGrisoft (avg)Generic_s.FAG
AVIkarusTrojan.VB.Crypt
AVK7Trojan ( 004ce6cb1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FACH!E5B14507C96A
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVPadvishNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Upatre
AVSymantecDownloader.Upatre!gen5
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojan.Girtk.DQXG.pnmo
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojanDownloader:Win32/Upatre!rfn
AVZillya!Downloader.CTBLocker.Win32.12

Runtime Details:

Screenshot

Process
↳ C:\5bcc85a09b49f9ecd403e64d374d7d8459407652.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\5bcc85a09b49f9ecd403e64d374d7d8459407652.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\serizay.exe

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\serizay.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths ➝
4
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache2\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache4\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ➝
C:\Documents and Settings\All Users\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
Creates Mutex_!MSFTHISTORY!_
Creates Mutexc:!documents and settings!admin!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!admin!cookies!
Creates Mutexc:!documents and settings!admin!local settings!history!history.ie5!
Creates MutexWininetStartupMutex
Creates MutexWininetConnectionMutex
Creates Mutex
Creates MutexWininetProxyRegistryMutex
Creates Mutex
Creates MutexRasPbFile
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
Creates Mutex
Creates FileC:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Admin\Cookies\index.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e312920 4170706c 65576562   NT 6.1) AppleWeb
0x00000060 (00096)   4b69742f 3533352e 33362028 4b48544d   Kit/535.36 (KHTM
0x00000070 (00112)   4c2c206c 696b6520 4765636b 6f292043   L, like Gecko) C
0x00000080 (00128)   68726f6d 652f3434 2e302e32 3435352e   hrome/44.0.2455.
0x00000090 (00144)   38312053 61666172 692f3533 352e3336   81 Safari/535.36
0x000000a0 (00160)   0d0a486f 73743a20 63686563 6b69702e   ..Host: checkip.
0x000000b0 (00176)   64796e64 6e732e6f 72670d0a 43616368   dyndns.org..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a                       che....


Strings
I+Yt
e1~8
{DJh
W3v8
y6*E+
[DW+
(m1NX
DX04
d3vp
GF8!+
Y1~\
3EOA
3N(J
1vHz
]1vL
,K(E31
U11u
GOFh
3EOA
^]Gf
S&I+
^]Gf
3v4J
7GQm
^uGFP
Ah%G
3#+j
UWQ_
FFFF
t	VW
IIII
IIII
Virt^_
ZJFRF
^NNNN
GHHGH
^H9E
_^[]
/un8H
</uy8A
jdhP[@
h@U@
hLU@
51U@
j h,
j<h,
hpU@
51U@
@h`U@
hhU@
51U@
@hTD@
51U@
@hUD@
hpU@
51U@
hhU@
hXD@
ht3@
%0@@
%,@@
%(@@
%$@@
% @@
%4@@
VC20XC00U
SVWU
t:VU
t(x1
]_^[
K(XEY4VLR3l>7/
NppHelpAbsentWarning
DocReloadWarning
AO-DF6.1_Vh>Hgj%
ZJ1KHJgB#.^D=
 HIGiOFe6kkSif2.*
thought of it since then - that he had a charm
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadCursorA
LoadIconA
LoadStringA
UpdateWindow
ShowWindow
CreateWindowExA
PostMessageA
PostQuitMessage
DefWindowProcA
DestroyWindow
EndPaint
DrawTextA
GetClientRect
BeginPaint
SendMessageA
USER32.dll
GlobalSize
SizeofResource
CreateThread
WaitForSingleObject
GlobalAlloc
FindNextFileW
Sleep
FindFirstFileW
FindClose
LoadLibraryA
GetModuleHandleA
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
GradientFill
AlphaBlend
MSIMG32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
_exit
_XcptFilter
exit
_acmdln_dll
_initterm
__GetMainArgs
_commode_dll
_fmode_dll
CRTDLL.dll
_global_unwind2
_local_unwind2
GetStartupInfoA
Z[ikAPCr\nOe_WWPZaU
CannotMoveDoc
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+.,:?&@=/%#()
9	?	(	M	&	@
doZhWlERLY]MpqSAGsN\QCUh\SAjPO
QVenXiFgeGEsATR
Magnetick
Charge Window App
EXIT
button
edit
static
richedit
ABCDEFG
riched32.dll
ffffff
aGGDDV
tttDP`
twGD``awwGtu
PawwwGE
PffffffWP
GtwwwP
www30www
wwwwwx
wwwwr
wwwwww
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
	<assemblyIdentity version="1.0.4.37"
		processorArchitecture="X86"
		name="COOTEK"
		type="win32"/>
	<description>COOTEK</description>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
		<security>
			<requestedPrivileges>
				<requestedExecutionLevel
					level="asInvoker"
					uiAccess="false"/>
				</requestedPrivileges>
		</security>
	</trustInfo>
</assembly>
=(=3=;=A=K=p=~=
?*?/?7?<?D?a?f?n?s?
010A0J0W0
1$1I1]1y1
2#2)262A2F2_2r2w2
2@3F3N3T3Z3`3f3@4F4
4!4%4-45494