Analysis Date2014-08-30 21:07:41
MD5056ae9cabc118d1fba02fea0f1305c22
SHA160e54e7c68dd25e72f72ce84817340fb116ad155

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4a8a8bca439ed0addb9221892830c358 sha1: 4616526b9bc52a56425e608316e7d18bdd20c3ff size: 77312
Section.data md5: ba561ca45f63cee55e792298fd09c88b sha1: 059c6acc82a1f6038c409855e8c9259410d855d7 size: 1024
Section.rsrc2 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.rsrc5 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc1 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc7 md5: 8e8a481d5433e4ea401e807fecbb9ac4 sha1: 91660b475a4e9eafd1a0fd7c6ecdcc4f1d692955 size: 4608
Section.rsrc3 md5: 683538be6cf62f7c1a69626225057f62 sha1: abffb53f06436d928522c92414741c274842fb4e size: 137216
Section.rsrc md5: 42dabc4274193c2d9b80d89b45d26c9a sha1: dd47ab85fdf30809d0ce469e070aed4d5ed8649f size: 1024
Timestamp2009-09-10 19:56:45
VersionLegalCopyright: Copyright © M S Extrim Edition 2011
InternalName: Extrim Edition.exe
FileVersion: 6.0.7007.1771
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: Extrim Edition Version 2011
ProductVersion: 6.0.7007.1771
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PEhash96e54923dd56fcfcee5f0f88e404586f5abf3c32
IMPhash576d266faa2206d735c5e18a7f131044

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.221.2.45
DNSuol.com.br
Type: A
200.147.67.142
DNSimageshack.us
Type: A
208.94.0.193
DNSimageshack.us
Type: A
208.94.1.8

Raw Pcap

Strings
+
.V

040904B0
6.0.7007.1771
7E9M
aD62
aomK
bhni
CompanyName
Copyright 
Extrim Edition.exe
Extrim Edition Version 2011
fDz3iO
FileDescription
FileVersion
GYkMp
im8N
InternalName
KtCU
LegalCopyright
 M S Extrim Edition 2011
Ojdi
OriginalFilename
ProductName
ProductVersion
QFm2
QN9Q
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows (R) Codename Longhorn DDK provider
Windows Setup API
wX1a
xQnSm7
\0a*;>
0C3tQRp
0If8{8
0q!J~J
0tN2EG
?0W@*nP
1{srf[
{1zK{,
2+@4|'@
2f7oSSom
2wxbsa5
'2zK;r>
3*I>73"
4Dos^|
,4-(M2aI
4ufqPG
6hj7hu
6T>]"[>44F
}\6W<+
79&D`?
7f4lj6
7fn2ShyZ5
7^|`pb
7WJ|D$
7'x2\j
8hW\8~
8o4DEw
8QdHA4W
8r^1]-w
8v@:=TM
;8X\ju
9e~KsK
{9@(/J>
a2qEWB
A6yOcW
aau0IPd
aCbj?qz
a/>DhR
ADVAPI32.dll
-'A{^IV
;:a,{J
a?krm3
AQiM9u
AxNuI[(
~B2Q"*GS
B6ZA2&sh
'b9v9]e*
)b<c:/BY
|B fK=
bhaBpKt
b,Nn+^d
bSJK3W
c9YBRQ00
cjD'Js
CoCreateGuid
comctl32.dll
comdlg32.dll
CoRegisterClassObject
CoTaskMemFree
cp0DmrjQZB
CreateCompatibleBitmap
CreateDIBitmap
CreateDIBSection
CreateFontIndirectA
CreatePalette
CreatePenIndirect
#|CT`t
cUZFGN
.da<[$
`.data
dd3X6Sz
DdnEK3r
}D<>H~+
Di,%D3" 
dj-'[Pe
dJr:v"
d&= Kh
dnLnm#
Dr|LHFJ
DR^<Uo
|D?YrS
e953oQ&
el?<g_
|E"sH?
ExitProcess
ExitThread
F70Oclra
F._@#7jQ
F{+(-:C>
#ffj,x
fI^J3[
FindTextA
FiSaSDg
f^o_.[
)f?tc9
>F+vvT
 F.~$x
$g,7:|
g}7Z(y
 Ga&\NA
Gc1JmNuQrY7
GdgylWT
gdi32.dll
GetACP
GetBitmapBits
GetCommandLineA
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetHGlobalFromStream
GetLastError
GetModuleHandleA
GetObjectA
GetOEMCP
GetPaletteEntries
GetProcAddress
GetSaveFileNameA
GetVersionExA
 ;	gfLw
{\G**g
gHlY \
gj%EY<
G{KVjx
GlobalAlloc
gN$@BOoDe
|G:RAh
#GU]I<
GU]y<A
Gv@}D;
gv;	tO
]{`}gY
<{\:<H
HeapDestroy
h$F0@$
HF52}LV
HGt8)$
`"]HJf
Hp7NdFp
Hs5	grn3p
HvOU\o^
H~v@>Wh1
I3xzy52
icz4vFxrwn
id	^Cm+
I,D/e0
ImageList_Add
ImageList_Create
ImageList_DragShowNolock
ImageList_DrawEx
ImageList_GetBkColor
ImageList_Read
ImageList_Remove
ImageList_Write
IsBadReadPtr
]!J-0k
j1Urb?
j4jNjB
j7j8jH
j8jAjVW
jaj2jj
jBjdj2
jCjPj[
jcjqjj
jcjuj#
J~D\k}e
jfq-=oi
jfWwkW
jGjLjO
|jgVPw
jhj*j[P
jhjVj1j
jIj2jq
j#j1j@V
j_j1j(W
j j5jA
j\j6j/V
j-j7jYW
j>jcjqQ
j#jDj{
j,jDjI
j#jej2j$W
j{jEjDP
j+j#j2R
j,j-jB
j&j)j&jyW
j=j:js
j:jKjwj~R
j{joj/jv
j`jojsQ
j~jpjvQ
j~jQj(
jkj:jOP
jKjVjxW
jLj!jD
J^	#mBx
jMj~j^P
jMjZj V
j;nDLx(@D
jNjjj!
jPjgj_
jpjYjOP
jqjGj`jlP
?J|#\s
jSj=j%
jTj6j/R
jUjcjxj7
\j&yFT
jZ?dQ_e
jzjjj)R
k25dGX
${k"6H
K9vK1Pr
kbWkTf
KdGWzn2j
KERNEL32.dll
KERNEL32.DLL
kf9(>.x
]}kiCP\Xf
;?k!j>
}k:P5d
kversion.dll
?K	WLe
?K|ytZ%g'H@
-!=/#l
lb4}N/.?Z
Lf9 tY
@L+j=X
LNH:*,
LNW7WO3
LoadBitmapA
LoadCursorA
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
LoadLibraryExA
LoadStringA
LocalAlloc
LocalFree
LocalReAlloc
Lr@=9$$
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
LW1am7
M~2qL2~H
m6J7S9uqR
@M8}Uw
MapVirtualKeyA
MapWindowPoints
MessageBeep
MessageBoxA
MFA12ao
? %MH0
*m+.HD
mhq6^x
?-m)Jt
MkParseDisplayName
M`nea"
mNS}Wn
MoveFileA
MoveFileExA
MSVCRT.dll
MulDiv
.MX\Z&
N3X4fsZ
.Naf=@
NefSB*
N+F9vo:
nIU6ac
niyN$8d
nk)/V:
*~NN&cL)%
NQj cu@i
`nVlO9
|NwazBb
nW{yWKqf
ny$Xne`
#O={,~!
OemToCharA
OffsetRect
ojd|N?f=A
OLE32.dll
oleaut32.dll
OpenClipboard
p4tWg3p
P7uD7r
PathGetCharTypeA
PeekMessageA
PeekMessageW
pfONXI
P%Ix_*
PjgjCW
}pM.fA
PostMessageA
PostQuitMessage
PpW1E3NjuvS
PT#`12"
PtInRect
PVY~4o
Q4w]?n
Q7ejau
$qD)~|
? <q:h
QlgRIl
qM8qCJ
Qv,-]I
qVlfMHHKD
qvWANj
R6bLzm
R9IBL[
RedrawWindow
RegEnumKeyA
RegisterClassA
RegisterClipboardFormatA
RegisterWindowMessageA
ReleaseCapture
ReleaseDC
ReleaseStgMedium
RemoveMenu
RemovePropA
Rf8@$U
=R$gB"
Ri8S0d
RjJj+P
Rjmj[R
RjXj/P
rN,5mN
rP4jPp
.rsrc1
@.rsrc2
@.rsrc3
.rsrc5
.rsrc7
rXku9Cm
rXqx3VxsyFY
S*0/vE
SafeArrayCreate
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayPtrOfIndex
SafeArrayUnaccessData
ScreenToClient
ScrollWindow
sE6lQWx
SendMessageA
SendMessageW
SetActiveWindow
SHDeleteValueA
SHEnumValueA
sH~Lj`@4
SHLWAPI.dll
Shr2bY
SHStrDupA
SizeofResource
sJZvxwp
s>P}b"
StgOpenStorage
SysAllocStringLen
SysFreeString
SysStringLen
t7L>GB
!This program cannot be run in DOS mode.
T}i:kT$g:
t	jw2%
tv}4IJ	
U}DY/A
uk}MB3
,&UlQa
uO14v9o
uQW8LqDuO
ur2xy32p9
uRdit4
UrE'f?
user32.dll
&,v~\:
v1exsd
V)=7ifw
V9JE]l|P"
Vb4?%F
V% c:eg
V'dlE9b
vdy0%6m1
VerQueryValueA
VERSION.dll
VERSION.DLL
vGNs:~Q
V'gs;lz
vH,;bj
VirtualAlloc
VirtualFree
VirtualQuery
Vjhj!W
Vj	jbP
V'}L62
Vm=bIv
V`Wnhf
W|+2eVw
WaitForSingleObject
W^B9tQ
wcsncmp
!wG|T>fU
WideCharToMultiByte
WjdjoR
WjFjFP
w}LReO
{@WNx:
WriteFile
w~_&'y
_WzPggK
X4o J;&
X&{k=P
xNuD3f
xUyP8J
$([xV$
Y2vkov
}@y3vd
yJZ	iLM
ylDS9+3}\@
yTRp5Gr
Z5Z">D|
zcrImar25
Zi!h')
z$?p~l
Z.\U.h	
^zy+}gqL