Analysis Date2015-05-05 09:22:10
MD52f0cfe0e136e6c664082aec8adebfed5
SHA144fd469648c7fda4ac34cce39ba879b9cfab9c14

Static Details:

File typeMS-DOS executable
Section_FLAT md5: 9f1f17f162d83d1f5a1a57a7120282e0 sha1: 4195d0fcf213ccf4c00735ea1a1e964669587884 size: 180224
Section.imports md5: b0b936b93b9a54aeadf8e6c7da430144 sha1: 362ac69757121a4364dd2ab0ef94d617e41c1286 size: 8192
Timestamp1970-01-01 00:00:00
PackerBorland Delphi 3.0 (???)
PEhash6d022ed553a77458b5ce62e681e24c807213072e
IMPhashc79527b45e89489440961ebec2860fa9
AVAd-AwareGen:Variant.Kazy.551846
AVAlwil (avast)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.551846
AVAuthentiumW32/S-6bfc736e!Eldorado
AVAvira (antivir)TR/Hijacker.Gen
AVBitDefenderGen:Variant.Kazy.551846
AVBullGuardGen:Variant.Kazy.551846
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Plugx.r2
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.551846
AVEset (nod32)Win32/Korplug.A
AVFortinetW32/Korplug.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.551846
AVGrisoft (avg)no_virus
AVIkarusTrojan.Win32.Korplug
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Gen:Variant.Kazy.551846
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Behav-010
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterW32.Korplug.A.dmat
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Network Details:


Raw Pcap

Strings
\??\
1234
%16.16X
%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d: 
%ALLUSERSPROFILE%
%ALLUSERSPROFILE%\cmdkey
%ALLUSERSPROFILE%\SxS
boot.cfg
\bug.log
CLSID
CMD.EXE
CommandLine
CompanyName
CONIN$
CONOUT$
ConsentPromptBehaviorAdmin
Create
CRYPTBASE.DLL
DEMO...
\Device\Floppy
DISPLAY
DoInstPrepare
E1954A0F4109680D
EnableLUA
FileDescription
FileVersion
HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
hha.dll
hha.dll.bak
hhc.exe
jjjj
jjjjjj
LNULL
l%s\sysprep\CRYPTBASE.DLL
~MHZ
Mozilla/4.0 (compatible; MSIE 
Mozilla Firefox
NvSmart.hlp
\Parameters
PI[%8.8X]
\\.\pipe\a%d
\\.\pipe\b%d
\\.\PIPE\RUN_AS_USER(%d)
ProcessId
ProductName
ProductVersion
ROOT\CIMV2
RUNAS
S-1-16-12288
"%s" %d %d
%s %d %d
%s\%d.plg
SeDebugPrivilege
ServiceDll
SeShutdownPrivilege
SeTcbPrivilege
%s\msiexec.exe %d %d
%s\msiexec.exe UAC
sNT AUTHORITY
Software\CLASSES\FAST
Software\CLASSES\FAST\PROXY
SOFTWARE\Microsoft\Internet Explorer\Version Vector
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Run
%s\sysprep
%s\sysprep\sysprep.exe
static
\StringFileInfo\%4.4X%4.4X\%s
\SxS
System
SYSTEM
System\CurrentControlSet\Services
SYSTEM\CurrentControlSet\Services\
\SystemRoot\
%SystemRoot%\system32\svchost.exe
THIS IS A DEMO VERSION!!!
tSystem Idle Process
UAC.TMP
\VarFileInfo\Translation
Win32_Process
%windir%\explorer.exe
%WINDIR%\SYSTEM32\SERVICES.EXE
; Windows NT %d.%d
WINSTA0
?&?+?=?
0-0?0{0
0!0&0-020D0M0V0\0a0f0m0r0
0?0\0`0d0h0
0%0+0@0I0
0 0.0<0J0X0f0x0
0-020=0B0q0
0#080=0O0T0
0"090F0
	0-0G0
0&0k0{0
0"0V0e0
0"0X0d0t0
0(1\1v1
0(141E1c1y1
0>1H1t1
0@1I1R1X1]1b1i1n1~1&222;2
	030B0I0
031C1[1`1x1
041;1E2Y2o2
-070q0{0
;(;0;8;
<&<0<9<@<Z<`<
0D1`1r1x1
0N0X0e0
0Q0d0m0s0x0}0
0t9It#ItCIu
<"=,=1=;=
101;1]1i1
102K2g2
1&1,11161=1B1}1
1&1<1^1o1u1
1!1*131:1?1G1V1_1h1o1t1|1
1(121=1
1"1D1M1V1\1a1f1m1r1{1
1!1E2P2j2u2~2
1*1F1t1~1
1@1M1S1[1t1
1"2-242E2T2^2
1?2I2Q2Z2
1#2R2[2d2j2o2t2{2
141V1b1n1
;1;6;A;F;k;
192.168.0.100
>!>*>1>A>V>[>f>k>
> >%>,>1>B>N>x>
1C2Y2s2$3*3J3X3
;1;\;h;
<1<S<_<
2-2;2{2
2 2%2,21282=2D2I2Q2a2l2s2y2
2'2,2G2Q2Z2x2
2-232;2C2I2g2o2u2
2"232H2M2_2d2
223>3G3M3R3W3^3c3
2'272C2t2
2!292@2X2_2w2~2
233<3E3K3P3U3\3a3
2<3C3M3^3s3
?,?2?7?`?
272@2G2W2i2n2y2
2D3R3[3b3s3
:2:e:l:
2F3`3s3
<2=G=P=V=[=`=g=l=
2l2u2~2
2}:X$T
:#:):.:3:::?:
314D4M4S4X4]4d4i4
323;3E3Q3X3^3{3
32373B3G3
3&323h3
3;3\3}3
3(333=3I3R3X3]3b3i3n3
333?3x3
3(4,4044484<4D4P4Y4_4d4i4p4u4
3!4-474>4O4e4j4y4~4
3-454E4N4U4Z4a4f4
=$=3=9=L=R=j=
:":3:9:W:_:e:q:z:
?#?3?;?A?L?P?T?X?\?`?d?h?l?p?
=*=3=<=B=G=L=S=X=
3D3r3~3
>%>->3>I>g>
3J3d3m3s3x3}3
:3:=:M:
3O4m4u4{4
=3=>=R=]=q=|=
425W5c5
4%4*41464B4R4l4q4w4
4!4'4,41484=4
4+444=4C4H4M4T4Y4f4
4(4-4?4D4
4 4.484G4S4g4n4t4
4(4/4B4X4]4l4q4~5
4%4.4F4k4
4.4>4N4^4
4,454>4D4I4N4U4Z4z4
4?4d4y4
4!4Y4c4
4%5<5I5S5
4]5g5x5
>$>,>4>b>g>p>y>
< <)</<4<:<?<G<O<b<k<t<z<
;";+;4;;;@;H;`;i;r;y;~;
=*=/=4=K=P=
4M5W5w5
;"<'<4<:<M<Z<`<s<
:4:^:p:w:
4q5w5~5
<*=4=W=
<*</<4<W<\<a<|<
525Q5W5]5b5{5
545:5B5[5b5
5(545H5R5\5c5
5"5+51565;5B5G5
5%5,51585=5]5f5o5v5{5
5)5?5D5S5X5
5 5+5M5Y5
5&5;5P5U5`5e5
5!5&5Q5c5j5q5
556Q6~6
5/595L5_5f5m5t5{5
5<5c5q5
5-5L5T5
565;5C5O5X5^5c5h5o5t5
5'656t6
5%6J6d6j6o6
5+6L6b6k6p6
5.6N6W6]6b6g6n6s6
=,=5=;=@=E=L=Q=
5T6[6b6k6t6{6
<%=5=Z=n=
:,:6:?:
60A0K0
61666]6b6
626A6j6s6
657Q7V7x7
6#6(6/646e6y6
6(6.666;6B6Y6l6
6*666C6a6i6s6z6
6$6)6J6d6
6*6/6J6O6j6o6
6:6D6M6
6,6D6W6
6-6K6i6
6#6T6Z6_6
6&717>7P7e9o9|9
676C6H6X6b6
6=7J7\7h7}7
>6?J?Z?e?
>&>.>6>Y>f>l>t>
71777N7T7z7
728?8H8N8S8X8_8d8s8
7)727=7L7y7
7,737`7}7
7(747m7
7/747M7`7|7
7.767<7Z7~7
7&767L7Q7`7e7
7#7,72777<7C7H7t7}7
7"7+727C7X7]7o7t7/8R8
7!7+767W7i7s7~7
7'7/7J7d7j7o7
7"7(7P7n7v7
7$7E7P7U7p7
7'7N7T7Z7c7
7(7X7_7
787?7c7j7
788E8\8z8
7=8B8n8
7+8O8U8{8
>7?I?P?w?
>7?U?g?
808[8g8
8&858Z8i8}8
8!8]8|8
8$8*8/878?8K8T8]8d8i8q8}8
8!888I8
8'8,8I8e8n8
8:8[8k8|8
8#8C8M8*949
8<8g8s8|8
8=9G9X9v9
8D8m8t8z8
8D8V8`8j8
8GULPt
=#=8===O=T=
8Y9k9u9
91:^:j:
939=9X9i9
94:F:L:
989@9Q9o9w9
9&949V9j9t9~9
9'989f9y9
9,989V9c9l9s9
9&9/949>9O9Z9`9e9n9s9}9
9!9*9}9
9 9%9d9p9y9
999E9N9W9]9b9g9n9s9
9$9:9F9Q9X9a9k9~9
9;9L9R9
9;9T9]9
9#9Z9d9
9K9R9Y9`9g9
9::_:s:}:
; ;&;A;
AdjustTokenPrivileges
advapi32
advapi32.dll
ADVAPI32.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndInitializeSid
AllocConsole
AttachConsole
BitBlt
: :%:<:B:M:
bootProc
<.<B<V<l<
:?:b:x:
;-;b;z;
C0O0^0h0
CallNextHookEx
ChangeServiceConfig2W
ChangeServiceConfigW
CloseDesktop
CloseHandle
CloseServiceHandle
closesocket
CloseWindowStation
CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CommandLineToArgvW
connect
ConnectNamedPipe
CONNECT %s:%d HTTP/1.1
Content-length: 0
Content-Type: text/html
ControlService
ConvertStringSidToSidW
CoSetProxyBlanket
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDesktopW
CreateDIBSection
CreateDirectoryW
CreateEnvironmentBlock
CreateEventW
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessAsUserW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExW
D$DPWSVVQ
DefWindowProcW
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DeleteService
DestroyEnvironmentBlock
DestroyIcon
DisconnectNamedPipe
DispatchMessageW
dnsapi
dnsapi.dll
DnsFree
DnsQuery_A
;d;n;w;
DoImpUserProc
domain.lookipv6.com
D$(Ph@1
D$ PWj
D$<PWWW
:-<D<Q<
:::D:Q:[:h:r:
D$ S;F
D$tPSh
DuplicateTokenEx
=-=>=D=W=^=k=
EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p
EnterCriticalSection
EnumProcesses
EnumProcessModules
EnumServicesStatusExW
EqualSid
>*>?>E>T>Z>
ExitProcess
ExitThread
ExitWindowsEx
ExpandEnvironmentStringsW
ExtractIconExW
?&?F?]?
f9K4t'
=F=[=a=
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
FreeConsole
FreeSid
gdi32.dll
GDI32.dll
GdiFlush
GenerateConsoleCtrlEvent
GetAdaptersInfo
GetAsyncKeyState
GetClassNameW
GetCommandLineW
GetComputerNameW
GetConsoleCP
GetConsoleCursorInfo
GetConsoleDisplayMode
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetConsoleWindow
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceExW
GetDriveTypeW
GetExitCodeThread
GetExtendedTcpTable
GetExtendedUdpTable
GetFileAttributesW
GetFileSize
GetFileTime
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetForegroundWindow
gethostbyname
GetIconInfo
GetKeyState
GetLastError
GetLengthSid
GetLocalTime
GetMessageW
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetModuleInformation
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetQueuedCompletionStatus
GetRawInputData
getsockname
GetStdHandle
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetTcpTable
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUdpTable
GetUserNameW
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GetWindowTextW
GetWindowThreadProcessId
GlobalMemoryStatus
GlobalMemoryStatusEx
>GULPt
?GULPt
>GULPu
HeapFree
Ht'Ht$Ht!
HTTP://
HTTP/1.0 200 
HTTP/1.1 200 
HttpAddRequestHeadersA
HttpEndRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestExA
;&;,;i;
<I<i<x<
;@;I<m<
ImpersonateLoggedOnUser
.imports
inet_addr
inet_ntoa
InitializeCriticalSection
InitiateSystemShutdownA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetSetOptionA
InternetWriteFile
iphlpapi
IPHLPAPI.DLL
=+=?=I=q=
IsWow64Process
=j=G>P>k>}>
JoProc
JoProcAccept
JoProcBroadcast
JoProcBroadcastRecv
JoProcListen
?]?j?p?x?
JtnJtTJtAJt
jWX_^[
jWX_^[]
>_>k>}>
kernel32
kernel32.dll
KERNEL32.dll
	keybd_event
keybd_event
KeyLog
KillTimer
KLProc
LdrLoadShellcode
LeaveCriticalSection
LoadCursorW
LoadLibraryA
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
LocalUnlock
LockWorkStation
LookupAccountSidW
LookupPrivilegeValueW
=L>P>T>X>\>`>d>h>l>p>t>x>|>
<%<L<q<~<
L$(QSj
>=>l>r>x>
lstrcatW
lstrcmpA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpynA
lstrcpynW
lstrcpyW
lstrlenA
lstrlenW
L$tQSh
:?;L;V;r;
MapViewOfFile
memcmp
memcpy
memset
MessageBoxW
	mouse_event
mouse_event
msvcrt.dll
MultiByteToWideChar
>)>`>n>
Nethood
Netstat
=;>N>j>{>
ntdll.dll
odbc32.dll
ODBC32.dll
ole32.dll
oleaut32.dll
OLEAUT32.dll
OlProc
OlProcManager
OlProcNotify
<&<-<O<`<o<~<
OpenFileMappingW
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerW
OpenServiceW
OpenWindowStationW
Option
$_OQ#_A
OutputDebugStringA
OutputDebugStringW
>->=>P>
PlugProc
PortMap
PostMessageA
PostQueuedCompletionStatus
PostQuitMessage
Process
Process32FirstW
Process32NextW
ProcessIdToSessionId
Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]
Proxy-Authorization: Basic %s
Proxy-Connection: Keep-Alive
psapi.dll
PVVVVVVh 
?Q?k?q?
QSSSSSSVS
QSVWh,
QSVWjT
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceStatusEx
QueueUserAPC
QWWPWW
?$?Q?X?s?
ReadConsoleOutputW
ReadFile
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEdit
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegisterRawInputDevices
RegOpenCurrentUser
RegOpenKeyExW
RegOverridePredefKey
RegQueryValueExW
RegSetValueExW
RemoveDirectoryW
ResetEvent
ResumeThread
RevertToSelf
RtlCompressBuffer
RtlDecompressBuffer
RtlGetCompressionWorkSpaceSize
RtlMessageBoxProc
RtlNtStatusToDosError
?RVhTu
RWWWWWWh
Screen
ScreenT1
ScreenT2
%s: %d
SelectObject
Service
SetCapture
SetConsoleCtrlHandler
SetConsoleScreenBufferSize
SetCursorPos
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesW
SetFilePointer
SetFileTime
SetProcessWindowStation
setsockopt
SetTcpEntry
SetThreadDesktop
SetTimer
SetTokenInformation
SetUnhandledExceptionFilter
SetWindowLongW
SetWindowsHookExW
SfcIsFileProtected
SHCopyKeyW
SHCreateItemFromParsingName
SHDeleteKeyW
SHDeleteValueW
shell32.dll
SHELL32.dll
ShellExecuteExW
ShellT1
ShellT2
SHEnumKeyExW
SHEnumValueW
SHFileOperationW
SHGetValueW
shlwapi
ShowWindow
SiProc
socket
SQLAllocEnv
SQLAllocHandle
SQLColAttributeW
SQLDataSourcesW
SQLDisconnect
SQLDriverConnectW
SQLDriversW
SQLExecDirectW
SQLFetch
SQLFreeHandle
SQLGetData
SQLGetDiagRecW
SQLMoreResults
SQLNumResultCols
SQLSetEnvAttr
SSSSSRSj
SSSVSQ
StartServiceW
SxWorkProc
T$4RhHj
t7Ht Ht
:T:a:h:q:z:
:T;b;k;r;
Telnet
TelnetT1
TelnetT2
TerminateProcess
t,f9\8
t>f9Q*u8
t.Ht Ht
t'jhWV
tlHti-
tNHt0H
TranslateMessage
t$ RWVj
t"SSSj
:u_f9G
UnhookWindowsHookEx
/update?id=%8.8x
user32
user32.dll
USER32.dll
userenv
userenv.dll
VariantClear
;V<]<d<k<r<
;V<e<{<
VerQueryValueW
version
;V<f<o<u<z<
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQueryEx
Vt8It"It
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WindowFromPoint
	WindowFromPoint
wininet
wininet.dll
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WriteConsoleInputW
WriteFile
WriteProcessMemory
ws2_32
ws2_32.dll
WS2_32.dll
WSACleanup
WSAGetLastError
WSAGetOverlappedResult
WSAIoctl
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASocketA
WSAStartup
wsprintfA
	wsprintfA
wsprintfW
	wsprintfW
wtsapi32
Wtsapi32
wtsapi32.dll
WTSEnumerateProcessesW
WTSFreeMemory
WTSGetActiveConsoleSessionId
WTSQueryUserToken
<w\u(3
=X=l=u={=
X-Session
X-Size
X-Status