Analysis Date2016-11-15 12:07:39
MD5e8609602e870d422c7d7eef42469c9e1
SHA1fc12bcdcbea1cd4a5a7f1a9a94c79aa74ed3320a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 020fed93b357e0bde1a193f4c0558f80 sha1: 46bdf93ab52ac060f53f35e302ce194cf3cf6d94 size: 10240
Section.data md5: 1b73ce98820e4adcda9a301a145a0bc3 sha1: 0906732e535fafc178596fb6fdff6735f1d01f66 size: 3072
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: 4338c6405212561091ff364f9032fa88 sha1: 8c0a748e3e8a7310dacdca71932fc9f22e20cf17 size: 1024
Section.rsrc md5: 27094e14de42b975631c313a3a517791 sha1: d0b2400e7f9875f6f0b2dd1bcb63b222687fbb46 size: 20480
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C 2.0
PEhash
IMPhashec5885042cc2b33d72a078126ecee5b3
AV360 SafeNo Virus
AVAd-AwareTrojan.Upatre.Gen.3
AVAlwil (avast)?
AVArcabit (arcavir)Trojan.Upatre.Gen.3
AVAuthentiumW32/Upatre.CC.gen!Eldorado
AVAvira (antivir)TR/Yarwi.bntdj
AVBitDefenderTrojan.Upatre.Gen.3
AVBullGuardTrojan.Upatre.Gen.3
AVCA (E-Trust Ino)Trojan.Upatre.Gen.3
AVCAT (quickheal)Trojan.Kadena.B4
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader22.18365
AVEmsisoftTrojan.Upatre.Gen.3
AVEset (nod32)Win32/Kryptik.DQXG
AVF-SecureTrojan.Upatre.Gen.3
AVFortinetW32/Kryptik.DQAA!tr
AVFrisk (f-prot)W32/Upatre.CC.gen!Eldorado
AVGrisoft (avg)Generic_s.FAG
AVIkarusTrojan.VB.Crypt
AVK7Trojan ( 004ce6cb1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Upatre
AVMcafeeUpatre-FACH!E8609602E870
AVMicroWorld (escan)Trojan.Upatre.Gen.3
AVMicrosoft Security EssentialsNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Upatre
AVSymantecDownloader.Upatre!gen5
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojan.Girtk.DQXG.pnmo
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojanDownloader:Win32/Upatre!rfn
AVZillya!Downloader.CTBLocker.Win32.12

Runtime Details:

Screenshot

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\serizay.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths ➝
4
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache2\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache4\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ➝
C:\Documents and Settings\All Users\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
1
Creates Mutexc:!documents and settings!admin!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!admin!cookies!
Creates Mutexc:!documents and settings!admin!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutex
Creates Mutex
Creates MutexRasPbFile
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates MutexZonesLockedCacheCounterMutex
Creates Mutex
Creates FileC:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Admin\Cookies\index.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat
Creates Filec:\autoexec.bat

Process
↳ C:\fc12bcdcbea1cd4a5a7f1a9a94c79aa74ed3320a.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\fc12bcdcbea1cd4a5a7f1a9a94c79aa74ed3320a.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\serizay.exe

Network Details:


Raw Pcap

Strings
I+Yt
e1~8
{DJh
W3v8
y6*E+
[DW+
(m1NX
DX04
d3vp
GF8!+
Y1~\
3EOA
3N(J
1vHz
]1vL
,K(E31
U11u
GOFh
3EOA
^]Gf
S&I+
^]Gf
3v4J
7GQm
^uGFP
Ah%G
3#+j
UWQ_
FFFF
t	VW
IIII
IIII
Virt^_
ZJFRF
^NNNN
GHHGH
^H9E
_^[]
/un8H
</uy8A
jdhP[@
h@U@
hLU@
51U@
j h,
j<h,
hpU@
51U@
@h`U@
hhU@
51U@
@hTD@
51U@
@hUD@
hpU@
51U@
hhU@
hXD@
ht3@
%0@@
%,@@
%(@@
%$@@
% @@
%4@@
VC20XC00U
SVWU
t:VU
t(x1
]_^[
K(XEY4VLR3l>7/
NppHelpAbsentWarning
DocReloadWarning
AO-DF6.1_Vh>Hgj%
ZJ1KHJgB#.^D=
 HIGiOFe6kkSif2.*
thought of it since then - that he had a charm
DispatchMessageA
TranslateMessage
GetMessageA
RegisterClassExA
LoadCursorA
LoadIconA
LoadStringA
UpdateWindow
ShowWindow
CreateWindowExA
PostMessageA
PostQuitMessage
DefWindowProcA
DestroyWindow
EndPaint
DrawTextA
GetClientRect
BeginPaint
SendMessageA
USER32.dll
GlobalSize
SizeofResource
CreateThread
WaitForSingleObject
GlobalAlloc
FindNextFileW
Sleep
FindFirstFileW
FindClose
LoadLibraryA
GetModuleHandleA
KERNEL32.dll
InitCommonControlsEx
COMCTL32.dll
GradientFill
AlphaBlend
MSIMG32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
_exit
_XcptFilter
exit
_acmdln_dll
_initterm
__GetMainArgs
_commode_dll
_fmode_dll
CRTDLL.dll
_global_unwind2
_local_unwind2
GetStartupInfoA
Z[ikAPCr\nOe_WWPZaU
CannotMoveDoc
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+.,:?&@=/%#()
9	?	(	M	&	@
doZhWlERLY]MpqSAGsN\QCUh\SAjPO
QVenXiFgeGEsATR
Magnetick
Charge Window App
EXIT
button
edit
static
richedit
ABCDEFG
riched32.dll
ffffff
aGGDDV
tttDP`
twGD``awwGtu
PawwwGE
PffffffWP
GtwwwP
www30www
wwwwwx
wwwwr
wwwwww
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
	<assemblyIdentity version="1.0.4.37"
		processorArchitecture="X86"
		name="COOTEK"
		type="win32"/>
	<description>COOTEK</description>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
		<security>
			<requestedPrivileges>
				<requestedExecutionLevel
					level="asInvoker"
					uiAccess="false"/>
				</requestedPrivileges>
		</security>
	</trustInfo>
</assembly>
=(=3=;=A=K=p=~=
?*?/?7?<?D?a?f?n?s?
010A0J0W0
1$1I1]1y1
2#2)262A2F2_2r2w2
2@3F3N3T3Z3`3f3@4F4
4!4%4-45494