Analysis Date2015-05-12 06:45:44
MD51b37345b2d8a202846ccda109e7da503
SHA1590ff28984d69d64c944536bc3cbc80ad234a045

Static Details:

File typeMS-DOS executable
Section_FLAT md5: fb8ea71402c515593725aff30f3262f5 sha1: 936cd800d174c176726c92c9b98aa6171c1e6e3c size: 196608
Section.imports md5: 2ea51f20c8d0c1500653ce9367e367a5 sha1: 3966eab1e4e2af373bc7ba96666fa953aaf2be68 size: 8192
Timestamp1970-01-01 00:00:00
PackerBorland Delphi 3.0 (???)
PEhash66aa81f8691749390c39341ae0e6f716238cd296
IMPhash5885792bb6d4ea10f863a783633fbb2c
AVAd-AwareGen:Variant.Kazy.551846
AVAlwil (avast)Agent-AYPV [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.551846
AVAuthentiumW32/S-0866b0ae!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBitDefenderGen:Variant.Kazy.551846
AVBullGuardGen:Variant.Kazy.551846
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.551846
AVEset (nod32)Win32/Korplug.A
AVFortinetW32/Korplug.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.551846
AVGrisoft (avg)no_virus
AVIkarusTrojan-Downloader.Win32.Thoper
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Gen:Variant.Kazy.551846
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Behav-010
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterW32.Korplug.A.ziin.mg
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Network Details:


Raw Pcap

Strings
\??\
07B07F856AD63BE5
1234
%16.16X
%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d: 
%ALLUSERSPROFILE%
%ALLUSERSPROFILE%\AVck
%ALLUSERSPROFILE%\VsMap
AVck
boot.cfg
\bug.log
CLSID
CMD.EXE
CompanyName
CONIN$
CONOUT$
ConsentPromptBehaviorAdmin
CRYPTBASE.DLL
\Device\Floppy
DISPLAY
EnableLUA
FileDescription
FileVersion
Global\DelSelf(%8.8X)
HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
jjjj
LNULL
l%s\sysprep\CRYPTBASE.DLL
mcappcfg.exe
~MHZ
Mozilla/4.0 (compatible; MSIE 
\Parameters
PI[%8.8X]
\\.\pipe\a%d
\\.\pipe\b%d
\\.\PIPE\RUN_AS_USER(%d)
ProductName
ProductVersion
pUAC.TMP
RUNAS
S-1-16-12288
%s %d %d
%s\%d.plg
SeDebugPrivilege
ServiceDll
SeShutdownPrivilege
SeTcbPrivilege
SHFolder.dll
SHFolder.dll.shf
%s\msiexec.exe %d %d
%s\msiexec.exe UAC
sNT AUTHORITY
Software\CLASSES\FAST
Software\CLASSES\FAST\PROXY
SOFTWARE\Microsoft\Internet Explorer\Version Vector
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Run
%s\sysprep
%s\sysprep\sysprep.exe
\StringFileInfo\%4.4X%4.4X\%s
\SxS
System
SYSTEM
System\CurrentControlSet\Services
SYSTEM\CurrentControlSet\Services\
\SystemRoot\
%SystemRoot%\system32\svchost.exe
tSystem Idle Process
\VarFileInfo\Translation
VsMap
VsMap Reporting module
%windir%\explorer.exe
%WINDIR%\SYSTEM32\SERVICES.EXE
; Windows NT %d.%d
WINSTA0
0!0&0+02070^0
0$0*0/040;0@0k0
0&0:0E0Y0d0x0
0+0:0I0h0
0/0=0u0
0$030n0}0
0$070}0
"0'090D0V0t0
0)0a0p0}0
0 0C0a0i0
0 0d0s0
!0/0F0W0f0
+0:0P0_0
010R0l0
0.1<1K1
0"1>1Z1g1
0(181\1i1
0>1c1m1
0'1N1_1
0@1P1f1p1
030A0O0]0k0y0
"050D0R0p0
<0<6<{<
$060g0x0
<'<0<6<;<@<G<L<`<e<l<q<}<
081_1s1
0D0K0^0
0G1X1g1
0N0h0}0
<$=(=,=0=S=[=k=x=<>F>S>b>
0t<It#ItFIu
;&;0;;;U;
101H1X1k1z1
1#1(1-14191^1
1"1'131I1U1b1}1
1"1'1B1]1s1|1
1,1@1e1
1$1]1n1
1 181?1W1^1
1-1C1[1j1
1+1G1a1q1
1>1M1q1
1#1T1n1
1-2>2c2o2}2
127.0.0.1
1.272<2X2
131>1I1
132[2l2{2
1)353K3W3k3u3
141D1h1o1v1}1
151B1f1
152<2]2
? ?%?*?1?6?v?
;(;1;7;<;A;I;\;e;n;t;y;~;
= =%=,=1=8===D=I=Q=a=l=s=y=
191P1_1
>1?D?M?S?X?]?d?i?
1H2L2P2T2X2\2d2p2y2
;1<><R<[<a<f<k<r<w<
212S2u2
2#212O2`2x2
2 2,232<2E2N2\2
2"2+242;2@2H2W2`2i2p2u2}2
2&2,262<2F2L2R2z2
2$2*2F2N2T2p2x2~2
2'262E2
2 2c2}2
2:2e2q2
2)2i2t2z2
233R3q3
2&353^3
272?2Y2
=)=2=;=A=F=K=R=W=d=
>2>A>P>
2d2m2v2|2
<2<=<F<M<R<Z<~<
=$=2=?=[=q=z=
?2?S?t?
<!<&<-<2<T<f<o<v<
30?0K0^0m0
313A3P3_3r3
3,3034383<3@3D3H3a3
3!3'3-323K3Z3_3
3#3-3=3g3
3"3-3?3N3_3s3
3'3/3B3`3q3
3%3<3M3j3x3
3=3]3n3
3)353B3]3p3u3
3+3I3U3l3y3
3(3M3c3{3
3;3q3{3
3(3Z3_3e3o3{3
3,434;4P4c4z4
3	4'4/4G4v4
3$4:4C4I4N4S4Z4_4
344W4k4t4z4
3/464=4D4K4R4
3,484A4G4L4Q4X4]4
>!>*>3>9>>>C>J>O>d>m>v>|>
?%?,?3?:?A?H?O?U?a?
>$>3><>B>G>L>S>X>q>z>
=%=3=c=j=~=
:3:D:_:j:s:
3E3\3i3s3
:(;3;G;
:!:*:3:::?:G:u:
="='=3=I=U=b=}=
;&;+;3;M;Z;c;l;s;x;
424F4y4
424T4v4
434D4S4d4
4,424A4G4V4\4k4p4
4.4;4J4O4U4\4a4r4z4
4,4>4J4Y4
4"4=4P4U4n4
4)454E4O4Y4h4w4
4'4S4}4
4$4S4`4i4r4x4}4
4>4U4b4
4&525p5
4)535R5{5
464]4$565G5m5
:#:(:-:4:9:a:
;$;-;4;9;@;E;s;};
4A5P5'666
:!:4:A:_:e:k:p:|:
>4>@>b>n>
:4;B;T;p;
<#<(</<4<E<[<
;,;4;?;F;R;
4G5-6@6M6\6a6g6n6s6
?%?4?J?[?i?
4L4k4z4
?&?4?R?Z?`?k?z?
=4>R>Z>o>|>
5%5,51585=5[5d5m5t5y5
5/5;5]5
5)5:5]5
5!5+555D5S5c5
5!5(5-5F5X5
5$565b5z5
5.575F5K5U5c5m5|5
5/5H5s5
5'5H5W5}5
5*5H5W5a5l5
5<5Q5X5l5
565a5o5
5$6/6=6j6t6
5'6?6p6
5#696G6k6
595F5O5X5^5c5h5o5t5
595N5W5]5b5g5n5s5
5B5f5y5
5B5U5c5n5u5
:):5:B:]:p:u:
>'?5?V?
646@6U6y6
646C6_6i6
6$6)6.656:6S6
6!6-6?6J6^6p6{6
6-6@6E6^647Y7f7
6&6+6F6T6
667K7Z7r7
6<6B6G6\7f7r8x8}8
6$6D6M6V6]6b6i6n6
6.6H6W6n6}6
6)737A7
6"7?7I7j7t7
6<7E7\7}7
6:7K7Y7e7k7t7}7
6D7V7_7f7w7
:';6;D;U;
>'>->6>O>a>g>p>
<6<><q<
:$:6:S:
>6>^>y>
717T7p7
7+707@7J7h7
7"717;7R7s7
7#7(7/747F7
7$7)7.757:7_7
7!7(7-757N7[7d7m7t7y7
7(777M7\7
7$7:7G7P7Y7`7e7m7
7+7?7N7]7l7
7'7B7X7^7f7
7]7f7o7u7z7
7+7L7[7e7k7s7{7
7/7S7b7
7$7U7i7r7x7}7
7?7V7[7w7
7-8A8j8y8
7@8O8x8
> >7>?>^>e>v>
:&:7:F:b:g:s:
<*<7===F=S=Y=^=e=k=r=
>7>M>s>
818H8`8n8}8
868?8H8O8T8\8z8
8%828M8`8e8~8
8:849C9 :.:8:A:P:`:
8)878D8M8j8~8
8'8-82878>8C8d8z8
8"8'8,83888K8t8}8
8!8.8<8C8O8^8
8-8=8_8k8w8
8+8@8b8
8*8;8E8O8_8o8
8@8M8o8
8.8o8<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9
8>8P8Y8_8d8i8p8u8
898>8G8L8R8Y8^8
899I9s9
8GULPt
8GULPu#
8T9e9n9t9y9~9
8U8a8p8z8
8Y8u8z8
90127.0.0.1
909=9F9O9U9Z9_9g9|9
909[9n9t9
9'969R9W9c9y9
9&989?9f9
9#9,92979<9C9H9Z9
9!9&9.959>9G9N9S9[9v9
9"9-9h9
9#9(9H9k9
9+9;9K9a9r9
9.9<9M9b9t9
9.9<9Z9b9h9x9
9(9C9O9b9o9~9
9.9I9Y9c9
9+9M9m9s9
9":C:U:g:w:
9E9V9[9a9h9m9
>&>9>E>S>~>
9F:d:l:
9g9t9}9
9I9W9u9}9
;9;\;k;
9	:*:K:
;A;_;};
?/?A?_?
AdjustTokenPrivileges
advapi32
advapi32.dll
ADVAPI32.dll
>A?H?Q?Z?`?e?j?q?v?
;A<J<Y<t<
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndInitializeSid
AllocConsole
<$<A<P<_<s<
AttachConsole
>&>B>G>S>i>u>
:;:B:I:P:W:
BitBlt
=B>O>g>
bootProc
=B=U=}=e>
ChangeServiceConfig2W
ChangeServiceConfigW
CloseDesktop
CloseHandle
CloseServiceHandle
closesocket
CloseWindowStation
=*>c>n>
CoCreateInstance
CoInitializeEx
CommandLineToArgvW
connect
ConnectNamedPipe
CONNECT %s:%d HTTP/1.1
Content-length: 0
Content-Type: text/html
ControlService
ConvertStringSidToSidW
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDesktopW
CreateDIBSection
CreateDirectoryW
CreateEnvironmentBlock
CreateEventW
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessAsUserW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
:/;C;U;[;c;{;
D$4PhH
D$8PSS
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DeleteService
DestroyEnvironmentBlock
DestroyIcon
=.=@=D=H=L=P=T=X=4>a>w>
DisconnectNamedPipe
=#=*=/=;=D=J=O=T=[=`=
dllmain.cpp
<"<D<M<V<\<a<f<m<r<{<
dnsapi
dnsapi.dll
DnsFree
DnsQuery_A
DoImpUserProc
>!>d>s>
;';d;t;
D$tPSh
DuplicateTokenEx
d:\work\plug7.0(mcappcfg)(gf)(
D$<WPW
EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p
EnterCriticalSection
:<;E;N;T;Y;^;e;j;
EnumProcesses
EnumProcessModules
EnumServicesStatusExW
EqualSid
ExitProcess
ExitThread
ExitWindowsEx
ExpandEnvironmentStringsW
ExtractIconExW
f9~4t"
file: %s, line: %d, error: [%d]%s
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
FormatMessageA
FreeConsole
FreeLibrary
FreeSid
<=<F<U<v<
=<=f=y=
gdi32.dll
GDI32.dll
GdiFlush
GenerateConsoleCtrlEvent
GetAdaptersInfo
GetCommandLineW
GetComputerNameW
GetConsoleCP
GetConsoleCursorInfo
GetConsoleDisplayMode
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetConsoleWindow
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceExW
GetDriveTypeW
GetExitCodeThread
GetExtendedTcpTable
GetExtendedUdpTable
GetFileAttributesW
GetFileSize
GetFileTime
GetFileVersionInfoSizeW
GetFileVersionInfoW
gethostbyname
GetIconInfo
GetLastError
GetLengthSid
GetLocalTime
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetModuleInformation
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetQueuedCompletionStatus
getsockname
GetStdHandle
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetTcpTable
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUdpTable
GetUserNameW
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
<,<><G<^<l<
GlobalMemoryStatus
GlobalMemoryStatusEx
?>?G?P?V?[?`?g?l?
;GULPt
<><G<V<c<~<
HeapFree
= =:=H=f=n=
Ht)Ht&Ht
HTTP://
HTTP/1.0 200 
HTTP/1.1 200 
HttpAddRequestHeadersA
HttpEndRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestExA
=#=H=W=\=b=i=n=|=
>H>W>\>b>i>n>|>
?$?H?W?\?b?i?n?|?
ImpersonateLoggedOnUser
.imports
inet_addr
inet_ntoa
info.sizn-ru.com
InitializeCriticalSection
InitiateSystemShutdownA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetSetOptionA
InternetWriteFile
iphlpapi
iphlpapi.dll
IsWow64Process
;!;I;V;{;
<"<J<d<m<s<x<}<
>,?J?h?
JoProc
JoProcAccept
JoProcBroadcast
JoProcBroadcastRecv
JoProcListen
JtnJtTJtAJt
jWX_^[
jWX_^[]
kernel32
kernel32.dll
KERNEL32.dll
=K>e>s>|>
keybd_event
<!<K<U<a<j<q<v<}<
: :K:w:
?'?K?z?
L$8QSS
LdrLoadShellcode
LeaveCriticalSection
?+?=?L?g?
LoadCursorW
LoadLibraryA
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
LocalUnlock
LockWorkStation
LookupAccountSidW
LookupPrivilegeValueW
lstrcatW
lstrcmpA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpynA
lstrcpynW
lstrcpyW
lstrlenA
lstrlenW
L$tQSh
<#<L<Z<{<
MapViewOfFile
=#=+=@=M=d=y=
memcmp
memcpy
memset
MessageBoxW
mouse_event
msvcrt.dll
;M<T<[<b<i<
MultiByteToWideChar
Nethood
Netstat
niisvtf.f3322.org
note.wikaba.com
ntdll.dll
NtQueryInformationProcess
odbc32.dll
ODBC32.dll
ole32.dll
OlProc
OlProcManager
OlProcNotify
OpenFileMappingW
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerW
OpenServiceW
OpenWindowStationW
Option
OutputDebugStringA
OutputDebugStringW
PlugProc
PortMap
PostMessageA
PostQueuedCompletionStatus
/%p/%p/%p
@PPRWSPP
Process
ProcessIdToSessionId
Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]
Proxy-Authorization: Basic %s
Proxy-Connection: Keep-Alive
psapi.dll
PSSSSSSWS
PVVVVVVh 
;/;>;Q;`;
:;:Q:d:s:
:Q:h:w:
QRPh0S4
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceStatusEx
QueueUserAPC
QWWPWW
= =%=>=Q=Y=d=
>(>@>R>
ReadConsoleOutputW
ReadFile
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEdit
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegOpenCurrentUser
RegOpenKeyExW
RegOverridePredefKey
RegQueryValueExW
RegSetValueExW
RemoveDirectoryW
ResetEvent
ResumeThread
RevertToSelf
RtlCompressBuffer
RtlDecompressBuffer
RtlGetCompressionWorkSpaceSize
RtlMessageBoxProc
RtlNtStatusToDosError
=R=u=}=
;<;R;X;];v;
Screen
ScreenT1
ScreenT2
%s: %d
SelectObject
Service
SetCapture
SetConsoleCtrlHandler
SetConsoleScreenBufferSize
SetCursorPos
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
SetProcessWindowStation
setsockopt
SetTcpEntry
SetThreadDesktop
SetTokenInformation
SetUnhandledExceptionFilter
SfcIsFileProtected
:(:;:S:g:
SHCopyKeyW
SHCreateItemFromParsingName
SHDeleteKeyW
SHDeleteValueW
shell32.dll
SHELL32.dll
)\shellcode\shellcode\XPlug.h
)\shellcode\shellcode\XSetting.h
ShellExecuteExW
ShellT1
ShellT2
SHEnumKeyExW
SHEnumValueW
SHFileOperationW
SHFolder.dll
SHGetValueW
shlwapi
ShowWindow
SiProc
socket
SQLAllocEnv
SQLAllocHandle
SQLColAttributeW
SQLDataSourcesW
SQLDisconnect
SQLDriverConnectW
SQLDriversW
SQLExecDirectW
SQLFetch
SQLFreeHandle
SQLGetData
SQLGetDiagRecW
SQLMoreResults
SQLNumResultCols
SQLSetEnvAttr
SSSSQSj
SSSVSQ
StartServiceW
SVSSSPQ
|SVWhD
 SVWP3
 SVWPj
SxWorkProc
;-;S;y;
\$T9\$<u
=,=T=c=w=}=
T$DRWWW
Telnet
TelnetT1
TelnetT2
TerminateProcess
TerminateThread
t>f9Q*u8
>/>:>T>f>q>
T$\h E4
t*Ht=Ht:Ht7Sh5
t'jhWV
tLHtI-
tMHt=Ht/Ht"j
t$ WPVj
tXHtU-
:u_f9G
u h|R4
<U>p>v>
user32
user32.dll
USER32.dll
userenv
userenv.dll
>;?V?]?
VerQueryValueW
version
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQueryEx
Vt9It"It
Vt;Ht$Ht
VVPQVR
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WindowFromPoint
wininet
wininet.dll
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WriteConsoleInputW
WriteFile
WriteProcessMemory
ws2_32
ws2_32.dll
WS2_32.dll
WSACleanup
WSAGetLastError
WSAGetOverlappedResult
WSAIoctl
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASocketA
WSAStartup
wsprintfA
wsprintfW
wtsapi32
Wtsapi32
wtsapi32.dll
WTSEnumerateProcessesW
WTSFreeMemory
WTSGetActiveConsoleSessionId
WTSQueryUserToken
<w\u(3
WWWh,L4
XBase64.cpp
XBoot.cpp
XBuffer.cpp
XDList.cpp
XException.cpp
XHide.cpp
XInstall.cpp
XInstallUAC.cpp
XJoin.cpp
XOnline.cpp
XPacket.cpp
XPlgLoader.cpp
XPlug.cpp
XPlugDisk.cpp
XPlugNethood.cpp
XPlugNetstat.cpp
XPlugOption.cpp
XPlugPortMap.cpp
XPlugProcess.cpp
XPlugRegedit.cpp
XPlugScreen.cpp
XPlugService.cpp
XPlugShell.cpp
XPlugSQL.cpp
XPlugTelnet.cpp
XRTL.cpp
XSessionImpersonate.cpp
XSetting.cpp
XSo.cpp
XSoPipe.cpp
XSoTcp.cpp
XSoTcpHttp.cpp
XSoUdp.cpp
XThreadManager.cpp
?<?X?y?
?%???Y?
<,=Y=g=