Analysis Date | 2015-05-21 08:14:12 |
---|---|
MD5 | c28ecee9bea8b7465293aeeef4316957 |
SHA1 | b41166aee5a88c71e6ac774418a6e44f18b79b80 |
Static Details:
File type | MS-DOS executable | |
---|---|---|
Section | _FLAT md5: 3eac7dde3044dcbf444c39b014ef213d sha1: f872c461414eac2fae1428d1674e3b17a18f867b size: 200704 | |
Section | .imports md5: fe5d50ee3af3fef6a22865709d223c09 sha1: ff97382f42fb02900ec97b49ddd52a2e1f441a45 size: 8192 | |
Timestamp | 1970-01-01 00:00:00 | |
Packer | Borland Delphi 3.0 (???) | |
PEhash | 1b46033d74f491b8afef14bd52a942f4272faa04 | |
IMPhash | 0856e993d64dce238dcb24a0d94c0e04 |
Runtime Details:
Network Details:
Raw Pcap
Strings
\??\ 1234 %16.16X %2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X 44978A081CC5770F %4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d %4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d: Adb.hlp %ALLUSERSPROFILE% %ALLUSERSPROFILE%\AVck %ALLUSERSPROFILE%\FPS AVck boot.cfg cbSend=%d cbSend=%d;m_cb=%d;mhz=%d; cbSend=%d;status=%d \cfg.ini CLSID cmd.exe CMD.EXE CompanyName CONIN$ CONOUT$ ConsentPromptBehaviorAdmin /c rundll32 "%s" ActiveQvaw %s CRYPTBASE.DLL \Device\Floppy DISPLAY /DJMoqoirjvmimzzv/view/update?id=%d&tick=%d&%S=%d&%S=%d&%S=%d&%S=%d dMozilla/4.0 (compatible; MSIE EnableLUA FileDescription FileManager FileVersion FMSession FMSize FMSn FMStatus Global\DelSelf(%8.8X) HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 HTTP/1.1 https://mail.google.com $jjj jjjjjj LNULL l%s\sysprep\CRYPTBASE.DLL ~MHZ msi.dll nac.dat nqrc.dat open \Parameters PI[%8.8X] \\.\pipe\a%d \\.\pipe\b%d \\.\PIPE\RUN_AS_USER(%d) POST ProductName ProductVersion Recv Sn=%d, Recv Status Code=%d, RUNAS S-1-16-12288 %S:%d %s %d %d %s\%d.plg SeDebugPrivilege ServiceDll SeShutdownPrivilege SeTcbPrivilege Setup.exe Setup.msi s\Evn %s\msiexec.exe %d %d %s\msiexec.exe UAC sNT AUTHORITY Software\CLASSES\FAST Software\CLASSES\FAST\PROXY SOFTWARE\Microsoft\Internet Explorer\Version Vector SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Software\Microsoft\Windows\CurrentVersion\Run %s\sysprep %s\sysprep\sysprep.exe static \StringFileInfo\%4.4X%4.4X\%s System SYSTEM System\CurrentControlSet\Services SYSTEM\CurrentControlSet\Services\ \SystemRoot\ %SystemRoot%\system32\svchost.exe tSystem Idle Process \VarFileInfo\Translation %windir%\explorer.exe %WINDIR%\SYSTEM32\SERVICES.EXE Windows File Manager Services ; Windows NT %d.%d WINSTA0 ;(;=;]; 0 0&0+00080H0X0a0g0l0q0y0 0!0&0+010 0 0&0N0T0Z0k0 !0'0?0Y0w0 0)02090J0_0d0o0t0 0"030H0M0_0d0 "0+040:0?0D0K0P0u0 0 080?0W0^0j0 0$0A0F0e0j0t0 0(0A0T0^0h0 0>0K0Q0 0`0r0{0 0'0S0Z0n0x0 0@1D1H1L1P1T1X1\1 =!=,=0=4=8=<=@=D=H=L=P=d=p=u={= ; ;$;(;,;0;4;8;N;Z;_;f;m;t;{; 060[0e0l0~0 ?0?B?H? ;0E0Q0 >0H0k0 <_=0>>>H>Q>Y> 0I1N1~1 >">(>0>I>W> <$=(=,=0=L=Q=h=q=w=|= <"<0<><L<Z<h<v< 0N0X0e0 0O1m1u1~1 0O6X6d6q6z6 0T0b0k0r0 0t<It#ItFIu 1&1,11161=1B1T1]1f1l1q1v1}1 1"111:1C1I1N1S1Z1_1t1}1 1#1(1.151:1E1L1 1 1(1.1k1 1&1<1^1o1u1 1"1+121C1X1]1o1t1 1(1.13181@1]1i1 1(1.13181?1D1 1 1$161 1;1\1b1j1 1'1^1c1k1t1}1 1,1M1n1 127.0.0.1 1=2I2N2T2[2`2q2y2 :&:,:1:6:=:B: >+?1?7?O?}? ?)?1?9?`? 1E1P1W1`1e1s1 <$<1<<<E<K<P<U<\<a<t< 1f1p1y1}2 ;+;1;k;u;{; > >%>*>2>|> 2!212:2C2I2N2S2[2k2t2}2 2!2'20292@2E2L2Q2t2}2 2"2'2-23292>2C2H2M2R2X2^2i2n2y2 2 2)2/24292@2E2Q2 2)2.2=2B2O3q3}3 2"2.2;2D2J2O2T2[2`2 2%2,262G2\2g2 2$2,282f2k2H3{3 2"2'282S2i2r2w2 2"2*292M2Z2q2z2 222H2W2}2 2-232;2C2I2g2o2u2 2$272N2Z2}2 2#2Z2t2}2 2$3+353O3Y3 2?3D3U3p3 2>3F3a3w3}3 2=3G3X3w3 2>3i3u3 ="=(=-=2=9=>=T= ?-?2?A?F? ;2;;;D;K;P;X;t;{; ='=2=E=P=r= <2<]<i< ;,;2;J; 2K2`2q2 2W2e2p2 323;3E3Q3X3^3{3 3"3)30373>3E3L3S3Z3a3h3o3u3 3$3+3}3 3!3&3-323r3}3 3!3(3.353<3C3H3O3T3[3`3g3l3s3x3 3"333H3M3_3d3 3+353@3a3p3z3 3'353@3G3R3`3k3t3 3#363B3R3\3f3m3 3-3c3q3 3;3D3M3S3X3]3d3i3v3 3#3e3{3 3$3U3]3 3'434C4O4^4 3"4*4/454<4A4L4S4x4 353@3E3`3z3 363?3H3_3}3 373C3K3p3 ;$;-;3;8;=;D;I;w< :!:*:3:9:>:C:J:O:W:`:i:o:t:y: 3B4Q4X4 3C4]4x4 3G3S3u3 <3<;<I<V<"=,=9= >)>3>J>[> 3P4U4d4i4 <3<?<v< 434=4Y4k4 4*424^4 4&4+424I4\4x4}4 4 4%4*41464 4$4*4/444;4@4 444:4?4b4 4!4&4.4>4G4P4V4[4`4h4x4 444@4w4 4*4/4J4O4o4t4 4"4'4P4 4 484C4M4z4 4?4E4k4s4|4 4 4E4M4`4i4o4t4y4 4(5a5f5 4_5g5x5 46.21.150.165 4>8><>@>D> :!:':.:4:;:A:H:N:U:[:b:h:o:u:|: 4B4R4j4 4D4Q4`4 ;$;4;;;J;\;`;d;h;l;p;t;]< <#<4<P<m<z< :*;4;W; <$<,<4<W<d<j<r< 5 5'5,5 5/555[5 5(5-5?5D5 5'5.5E5N5W5]5b5g5n5s5 5-575=5E5M5]5m5}5 5]5e5|5 5(5F5S5\5c5 5.5Y5z5 565>5C5m5 5#6*61686?6a6 5#6L6V6s6 <5<A<H<[<t<y< 5C5[5l5 5c5o5{5 5E6c6k6s6 5H5W5\5b5i5n5|5 >5>H>j>o> ;%;*;5;:;p;{; 5T6c6l6r6w6|6 626Y6m6 646]6d6j6 6+61696 6!616A6^6 6)62686=6B6I6N6f6o6x6~6 6$656S6i6o6t6 6'6,62696>6L6S6y6 6&6/656:6?6F6N6 6 6%6>6G6P6V6[6`6g6l6 6 6:6@6j6 6!6(686N6S6b6g6 6:6A6P6 6#6V6?758t8 6:6X6`6q6 6 707K7`7 676C6H6X6b6 6+7<7B7r7 6 7=7G7 ;$<-<6<<<A<F<M<R<Z< 6b6m6|6 6e8q8{8 <-=6=?=E=J=O=V=[=m= :6:>:F:i:v:|: "6!_ K <6<><m< 737=7F7t7{7 768Q8c8i8 7-73797K7P7U7[7e7q7|7 7"737H7M7_7d7 7(7.73787?7D7z7 7 7%7,717A7J7S7Y7^7c7j7o7 7"7'7,73787 7"7'7.737J7Q7Z7c7i7n7s7z7 7 7)7/74797@7E7`7f7 777=7j7|7 777A7J7h7 7"7(7P7V7]7e7 7,7?7U7|7 7'787W7`7g7w7f8l8 7:7C7J7[7p7u7 7,828c8 7 8%8/898C8M8W8n8 7(888A8G8L8Q8X8]8 7 8"8;8g8x8 7!8E8n8 :7:<:A:\:i: <7<N<W<]<b<g<n<s< 7O849D9T9{9 838>8G8 868C8I8Q8 8"828C8X8b8x8 8)8781:E:N:U:f:{: 8$8)80858u8 8#8)838<8G8W8b8l8 8,8=8E8O8b8 8$8e8k8t8}8 8)8F8~9 8;9A9i9s9y9 8;9E9f9p9Q:Z:c:i:n:s:z: <'<8<c< 8D9N9W9 =8>?>E>M>j> 8F8Z8t8 8GULPt :&:.:8:?:O:m:z: >#>8>=>O>T>l>q> >.?8?W?|? 90:L:X: 919C9I9 959H9b9 989B9I9 98:E:K:S:l: 9&9/959:9?9F9K9 9!9(9-959H9T9]9f9m9r9z9 9$9.9?9J9P9U9^9c9m9 9"9<9F9Y9f9{9 9 9:9m9 9+9G9f9o9u9z9 9>9I9s9 9A:e:t: 9E9U9z9 9):F:R: :.:9:[:g: 9g9t9}9 9/:I:R:[:a:f:k:r:w: =!=)=9=N=W=]=b=g=n=s= =9=P=d=m=v=|= <-=9=r= 9':R:^:g:q: =&=9=T=]=d=t= abe2869f-9b47-4cd9-a358-c22904dba7f7 /Action.do?Uid=%d AdjustTokenPrivileges advapi32 advapi32.dll ADVAPI32.dll ?A?J?S?Y?^?c?k?{? AllocateAndGetTcpExTableFromStack AllocateAndGetUdpExTableFromStack AllocateAndInitializeSid AllocConsole <!=;=A=m= =.=A=M=T=l=v= ;A;P;d;j; %AppData%\Mozilla\Firefox %AppData%\Mozilla\Firefox\profiles.ini AttachConsole ;&<B<G<i< BitBlt bootProc =)>B>T>Z> B'WL=3 CallNextHookEx ChangeServiceConfig2W ChangeServiceConfigW ChromeHTML CloseDesktop CloseHandle CloseServiceHandle closesocket CloseWindowStation CoCreateInstance CoInitializeEx CommandLineToArgvW connect ConnectNamedPipe CONNECT %s:%d HTTP/1.1 Content-length: 0 Content-Type: text/html ControlService ConvertStringSidToSidW Cookie: %s%d;%s%d;%s%d;%s%d CoUninitialize CreateCompatibleBitmap CreateCompatibleDC CreateDCW CreateDesktopW CreateDIBSection CreateDirectoryW CreateEnvironmentBlock CreateEventW CreateFileMappingW CreateFileW CreateIoCompletionPort CreateMutexW CreateNamedPipeW CreateProcessAsUserW CreateProcessW CreateRemoteThread CreateServiceW CreateThread CreateWindowExW CredEnumerateA CredFree crypt32.dll CRYPT32.dll CryptUnprotectData D$DPWSVVQ ?#?D?e? DefWindowProcW DeleteCriticalSection DeleteDC DeleteFileW DeleteObject DeleteService DestroyEnvironmentBlock DestroyIcon ;@<D<H<L<P<T<X<\<`<d< DisconnectNamedPipe DispatchMessageW __dllonexit :%:[:d:m:s:x:}: dnsapi dnsapi.dll DnsFree DnsQuery_A DoImpUserProc =d>p>|> D$<PSSS D$tPSh DuplicateTokenEx =>=E=_=i= Ej,ZU(% EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p EnterCriticalSection EnumProcesses EnumProcessModules EnumServicesStatusExW EqualSid ExitProcess ExitThread ExitWindowsEx ExpandEnvironmentStringsForUserA ExpandEnvironmentStringsW ExtractIconExW F4h@L$ F8h@L$ f9K4t' fclose FindClose FindFirstFileW FindNextFileW FirefoxURL FLh@L$ FlushFileBuffers FMSession FMSize FMStatus >F?R?[? FreeConsole FreeLibrary FreeSid :-;F;v; GDh@L$ gdi32.dll GDI32.dll GdiFlush ;=<G<e< GenerateConsoleCtrlEvent GetACP GetAdaptersInfo GetAsyncKeyState GetClassNameW GetCommandLineW GetComputerNameW GetConsoleCP GetConsoleCursorInfo GetConsoleDisplayMode GetConsoleMode GetConsoleOutputCP GetConsoleScreenBufferInfo GetConsoleWindow GetCurrentProcess GetCurrentProcessId GetCurrentThread GetCurrentThreadId GetDeviceCaps GetDIBits GetDiskFreeSpaceExW GetDriveTypeW GetExitCodeThread GetExtendedTcpTable GetExtendedUdpTable GetFileAttributesW GetFileSize GetFileTime GetFileVersionInfoSizeW GetFileVersionInfoW GetForegroundWindow gethostbyname GetIconInfo GetKeyState GetLastError GetLengthSid GetLocalTime GetMessageW GetModuleFileNameExW GetModuleFileNameW GetModuleHandleA GetModuleHandleW GetModuleInformation GetNativeSystemInfo GetOverlappedResult GetPrivateProfileStringA GetProcAddress GetProcessHeap GetProcessWindowStation GetQueuedCompletionStatus GetRawInputData getsockname GetStdHandle GetSystemDefaultLCID GetSystemDirectoryW GetSystemInfo GetSystemMetrics GetSystemTime GetTcpTable GetThreadDesktop GetTickCount GetTokenInformation GetUdpTable GetUserNameW GetVersionExW GetVolumeInformationW GetWindowsDirectoryW GetWindowTextW GetWindowThreadProcessId <)<G<l< :G;[;l; GlobalMemoryStatus GlobalMemoryStatusEx >GULPt ?GULPt >GULPu HeapAlloc HeapFree Ht'Ht$Ht! Ht&Hua HTTP/1.0 200 HTTP/1.1 200 HttpAddRequestHeadersA HttpEndRequestA HTTP://HTTP:// HttpOpenRequestA HttpQueryInfoA HttpSendRequestExA ;);=;H;@<z< IE.HTTP :I;k;~; ImpersonateLoggedOnUser .imports inet_addr inet_ntoa InitializeCriticalSection InitiateSystemShutdownA InternetCloseHandle InternetConnectA InternetOpenA InternetOpenUrlA InternetReadFile InternetSetOptionA InternetWriteFile iphlpapi IPHLPAPI.DLL <<=i=q= >>?I?R?Y?^?f? IsWow64Process >$>:>?>J>O> JoProc JoProcAccept JoProcBroadcast JoProcBroadcastRecv JoProcListen JtnJtTJtAJt jWX_^[ jWX_^[] kernel32 kernel32.dll KERNEL32.dll keybd_event keybd_event KeyLog KillTimer KLProc LdrLoadShellcode LeaveCriticalSection LoadCursorW LoadLibraryA LocalAlloc LocalFree LocalLock LocalReAlloc LocalUnlock LockWorkStation LookupAccountSidW LookupPrivilegeValueW L$(QSj lstrcatA lstrcatW lstrcmpA lstrcmpiW lstrcmpW lstrcpyA lstrcpynA lstrcpynW lstrcpyW lstrlenA lstrlenW >*?L?_?t? L$tQSh >!?L?X?`?j? M0T0[0b0i0p0 MapViewOfFile memcmp memcpy memset MessageBoxW mouse_event mouse_event msvcrt.dll MSVCRT.dll MultiByteToWideChar >&>N>b>~> Nethood Netstat \nss3.dll NSSBase64_DecodeBuffer NSS_Init NSS_Shutdown ntdll.dll NtQueryInformationProcess odbc32.dll ODBC32.dll ole32.dll OlProc OlProcManager OlProcNotify _onexit OpenFileMappingW OpenInputDesktop OpenProcess OpenProcessToken OpenSCManagerW OpenServiceW OpenWindowStationW Option OutputDebugStringA OutputDebugStringW ;(;/;O;W;e;k;q; ;%<O<Y< >O>Y>a>j> =&=O=Y=b= =:=`=p= =P=b=k=q=v={= <$<*<P<e<k< PK11_Authenticate PK11_CheckUserPassword PK11_FreeSlot PK11_GetInternalKeySlot PK11SDR_Decrypt PlugProc PortMap PostMessageA PostQueuedCompletionStatus PostQuitMessage prefs.js Process ProcessIdToSessionId Profile0 \profiles.ini Progid %ProgramFiles%\Mozilla Firefox Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s] Proxy-Authorization: Basic %s Proxy-Connection: Keep-Alive psapi.dll <P=V=\=b=i=u= PVVVVVVh Q0`0O1'20292?2D2I2P2U2g2 ?Q?k?t?z? QSSSSSSVS QSVWh, QSVWjT QueryDosDeviceW QueryPerformanceCounter QueryPerformanceFrequency QueryServiceConfig2W QueryServiceConfigW QueryServiceStatusEx QueueUserAPC QWWPWW ReadConsoleOutputW ReadFile ReadProcessMemory RegCloseKey RegCreateKeyExW RegDeleteValueW RegEdit RegEnumKeyExW RegEnumValueA RegEnumValueW RegisterRawInputDevices RegOpenCurrentUser RegOpenKeyExA RegOpenKeyExW RegOverridePredefKey RegQueryValueExA RegQueryValueExW RegSetValueExW RemoveDirectoryW ResetEvent ResumeThread RevertToSelf RPhXK$ RtlCompressBuffer RtlDecompressBuffer RtlGetCompressionWorkSpaceSize RtlMessageBoxProc RtlNtStatusToDosError Screen ScreenT1 ScreenT2 SecDataSize= SecSession= SecSn= SecStatus= select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%"; SelectObject Service SetCapture SetConsoleCtrlHandler SetConsoleScreenBufferSize SetCurrentDirectoryA SetCursorPos SetEndOfFile SetErrorMode SetEvent SetFileAttributesW SetFilePointer SetFileTime SetProcessWindowStation setsockopt SetTcpEntry SetThreadDesktop SetTimer SetTokenInformation SetUnhandledExceptionFilter SetWindowLongW SetWindowsHookExW SfcIsFileProtected :-:::@:S:`:f:y: SHCopyKeyW SHCreateItemFromParsingName SHDeleteKeyW SHDeleteValueW shell32.dll SHELL32.dll ShellExecuteExW ShellExecuteW ShellT1 ShellT2 SHEnumKeyExW SHEnumValueW SHFileOperationW SHGetValueW shlwapi ShowWindow SiProc ?S?_?n?x? socket Software\microsoft\windows\shell\associations\UrlAssociations\http\UserChoice sprintf SQLAllocEnv SQLAllocHandle SQLColAttributeW SQLDataSourcesW SQLDisconnect SQLDriverConnectW SQLDriversW SQLExecDirectW SQLFetch SQLFreeHandle SQLGetData SQLGetDiagRecW sqlite3_close sqlite3_column_count sqlite3_column_text sqlite3_finalize sqlite3_open sqlite3_prepare_v2 sqlite3_step SQLMoreResults SQLNumResultCols SQLSetEnvAttr %s\%s\signons.sqlite SSSVSQ StartServiceW _stricmp strstr SVWP3 SxWorkProc t7Ht Ht T$8RSS tBhTP$ =?>T>]>c>h>m>t>y> tehTP$ Telnet TelnetT1 TelnetT2 TerminateProcess TerminateThread t>f9Q*u8 tghTP$ tH5cqp t.Ht Ht t]hTP$ t'jhWV tlHti- tNHt0H TranslateMessage T$(Rh`A# t$ RWVj tShTP$ t"SSSj T$Th`E$ tXhTP$ tZhTP$ uChTP$ :u_f9G uFhTP$ u hDO$ u hLU$ UnhookWindowsHookEx >&>U>p> user32 user32.dll USER32.dll userenv userenv.dll USERENV.dll user_pref("network.proxy.autoconfig_url", " user_pref("network.proxy.http", " user_pref("network.proxy.http_port", <-<;<v< VerQueryValueW version ?#?V?i? VirtualAlloc VirtualAllocEx VirtualFree VirtualFreeEx VirtualProtect VirtualProtectEx VirtualQueryEx +v]$KR4-y&8 Vt8It"It VWh|[$ WaitForMultipleObjects WaitForSingleObject WideCharToMultiByte WindowFromPoint WindowFromPoint winhttp WinHttpCloseHandle WinHttpConnect WinHttpGetIEProxyConfigForCurrentUser WinHttpGetProxyForUrl WinHttpOpen WinHttpOpenRequest WinHttpQueryHeaders WinHttpQueryOption WinHttpReadData WinHttpReceiveResponse WinHttpSendRequest WinHttpSetOption WinHttpSetTimeouts WinHttpWriteData wininet WNetCloseEnum WNetEnumResourceW WNetOpenEnumW WriteConsoleInputW WriteFile WriteProcessMemory ws2_32 ws2_32.dll WS2_32.dll WSACleanup WSAGetLastError WSAGetOverlappedResult WSAIoctl WSARecv WSARecvFrom WSASend WSASendTo WSASocketA WSAStartup wsprintfA wsprintfA wsprintfW wsprintfW wtsapi32 Wtsapi32 WTSEnumerateProcessesW WTSFreeMemory WTSGetActiveConsoleSessionId WTSQueryUserToken <w\u(3 w,Vh\U$ WVVVh4R$ WWWh4R$ WWWWWRWj :':y::;R; yXbCei