Analysis Date2014-12-03 06:31:00
MD5216751de821af9f67175a56b5afb846f
SHA178cdebd2bf671e98a7c791bc8fe1b3671376fedc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 264191464b0174e361e2d2ebcb6d18a4 sha1: 8c229e4937014989e8c0f2ecf155ae672838470d size: 67584
Section.data md5: acdf8b16c19ba6b5e881562dd09a1cb0 sha1: c2ae77867691ae54ae8d09101e17a50f682ec1bb size: 151552
Section.Rsrc2 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.Rsrc9 md5: 62f32f0cc500d14fc08be6e93e684207 sha1: bf4601dade394bd1d86fd436f4be8e872a00e21d size: 2048
Section.Rsrc5 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.Rsrc1 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.Rsrc7 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.Rsrc4 md5: aa300bab899e72ad010661fa8007eb8a sha1: 62d2d6d1e7b334ea3500fc04cb6454aa70f3cd3b size: 2560
Section.rsrc md5: abf02db5d4da53c6662e81a1eaac0f6c sha1: a006792bb483aad93b0d8a2a9b78979f302ff7e9 size: 1024
Timestamp2009-06-04 11:54:55
VersionLegalCopyright: Copyright © Extra Windows 2011 Edition
InternalName: Extrim Edition.exe
FileVersion: 1.0.706.72
CompanyName: Avira GmbH
ProductName: MSE Extrim Version 2011 Edition
ProductVersion: 1.0.706.72
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PackerFSG v1.10 (Eng) -> dulek/xt
PEhashdef97b84db8cc1057762ddaea68178f83a9627b7
IMPhashb2bf99d914497ffb8ad801cf6090adc1
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-EA [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.IV.gen!Eldorado
AVAvira (antivir)TR/Agent.328704.3
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LX
AVClamAVTrojan.Downloader-101883
AVDr. WebTrojan.DownLoader1.52084
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/Kryptik.JRD
AVFortinetW32/CodePack.CX!tr
AVFrisk (f-prot)W32/FakeAlert.IV.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan ( 002056d81 )
AVKasperskyPacked.Win32.Krap.ih
AVMalwareBytesTrojan.Agent
AVMcafeeDownloader-CEW.q
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVNormanGen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.126CEA13
AVSophosMal/FakeAV-CX
AVSymantecTrojan.FakeAV!gen29
AVTrend MicroTROJ_FAKEAV.SM6
AVVirusBlokAda (vba32)Trojan-Dropper.MTA.1215

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.221.2.45
DNSuol.com.br
Type: A
200.147.67.142
DNSimageshack.us
Type: A
208.94.0.193

Raw Pcap

Strings
.
.
0./.
.3
L
4?..*l
040904B0
0xBx
1.0.706.72
4LVsR
5Ev0
8Oey
8YDuwe
Avira GmbH
CompanyName
Copyright 
 Extra Windows 2011 Edition
Extrim Edition.exe
fBSos
FileDescription
FileVersion
InternalName
J0lF
k2kl
ksN8J
LegalCopyright
meiEY
mekb
MSE Extrim Version 2011 Edition
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
whQ5G
Windows Setup API
xkVU
xVod
yepOT
zn9L
0eOx9pE
{0lmz1ln
0lmz1ln42lnz
|0-<mB
0QmUIV
0t2xpi
0#t_Fy#
0 um^Elc7
0VeGJ1
0$|z=)E
0zewqw
15n=tlnN
16nz1qnz1
(1	9NU
1Dn}2mn}
]1GcCg
~1Htzg&5
1&iMaiL
1l0{1l
1l(e3l
1lj"4l
1ln#2ln
1ln|Ge
&{1lns
1lnz1l
1lnz1lnz1leR
{1(nz[l
1zc($O
2#{1uzd@X
_:_)2A
2jmz3BoD
2l"{1lnzRl={
2n|@e/DKU
2<PZ3F
~;:2Q=!
2qcd~Qu,1mWbl
2Yr9ys
2ZBusp*
_]3[:a
3C6RQH
3d({1ln
/]3eoP
3J7-W;K
@3Ja}t
^&3ui}
4{1lnz1
4cXkVp
4{HrbFS
4m	52lnz3|
4_PKak
4_sM7%
|4v?("
[4ya%x 
5Awxz1
5ITtf&
5ivM<xE
5jC&Ti
5ntdll.dll
-64ywf
6,9*"{
^$6Ml@|2
|>6o9s
7Bkmz3d
7m=Jo0|\
7NHPuSI
7RiqjZr1
7'uP$B
86ULXKj
8	7SL$)lcw
.8|cy[v
8ds)V1
8FN({ 
8ThpgASJOC
8Y45QDQ
]-9cEX
{9'g#E
9p4|!?$
'9-}q_
9xJqh8
A0m81s
a1^/Q!s
a#9a4:
aB=3D{
aCSC3G
a^Da*U
aeM*n`d^lnz>lnz1lnz
A\EQxNe
aiG?_6M
-A~Nv7
A^NxBndo
[!$AoO,
APyzw7
a=q<t0
a]rQm1
aw`Ac-b
B4/.2_
/B%5-B:
+B+]#f
bGo!hu
bkmz1mm{j
bkmz2m^
/Bkmz3
blj7UN
BO0nKG
Bt|roEyG
%Btr}'Q!_q
B~$WrS
#BYzE:
#c0lmp
c1UqPN5
c20WTH
c3dAoU]
C?A:]Me=s
ChooseColorA
cjFmxr<
c#j%mCb"P
clnBmK
CLSIDFromProgID
CoCreateFreeThreadedMarshaler
CoGetMalloc
comctl32.dll
COMDLG32.dll
CreateBrushIndirect
CreateFileA
CreateFontIndirectA
CreatePenIndirect
cT+&nX[
C>[UH@
cx3TIqc
CyIM45E
!$CZF=
D0} XU
D#]1cx
D5W})l
D93y73r
`.data
"D&Bla
dD32lnz
d>dUlnz+
De9je1i
DeleteFileA
DF99zX2
{')Dg!u-t
dgx^A"
D]i@/n
DM!uG_w
D${o@:_
Dp~XA&s
DragQueryFileA
#DTl$x
dWaDAE/s
DW"Bu[
dxt}$dMcGaqV
dYax`R
dZyVge
^E9F<L%
EFB@&i
*Ef'Rud
E*IMrl/@K
e]KGx7
elqcQg
el!`$X
-E%M1m
^eoA?z
E<p'vQ
(E.\r@O
e<u'#/A
'EWfu%
ExitProcess
ExitThread
F1YG2'
FGJ`e(b
FindTextA
f(iOtw-hW[
#f$Mrxp&
FormatMessageA
	Fpnx+
f@:qiJ
F^uJp!
	g6{Px+
g9Clnz
ga!tiK 
Gb5@v>*9.
GDI32.dll
GetACP
GetCommandLineA
GetCommandLineW
GetCurrentPositionEx
GetDIBColorTable
GetDIBits
GetErrorInfo
GetLastError
GetModuleHandleA
GetObjectA
GetOpenFileNameA
GetPixel
GetProcAddress
GetSaveFileNameA
GetVersionExA
"Gf!ao
GfJRm@
GgTR]FAqx%
	gHA2-
!g#haV((J@
/@GjSx
G}K7%L
g{~L ]
gl$1<1F?
G_&L)lEH})
glt`Gm!n
GMGKmN
g$n_j-n
}go(/xJ
GP!XI%T
grp!ND
'/Gr~R
gs55jS
g!sZg1
gTuhxA
'gt|(W8J
G~u|}nu
Gu#pD~!q
g(/x#^
h1awCo
h2l.z)G4
H4{3:D
hBo3>it
/HC`zE
hDngia|di
hethbYsr
HFl3ZeIUFt
H,&Gun}
hk'4+E-
hokatx{
hQw4es
hue%v(
%hVU],b
!hWd|{mv
Hy4wrg
H%}Z8S
|I95>d
iA$la$Dr
I>AMi-
'iD#e.\
i%E`Mu
$igqAYI
i	I~-+
I Jg!KGrk
/{^)il
~Il]Y%B
ImageList_Add
ImageList_Remove
-imes-A
i}r3yw:
irprfe
IsBadHugeReadPtr
IsBadReadPtr
/Iy0 f
izf7cL
<'iZ?*nL$:a.
jBlWZV
!)JD)<M	
JDr<Un
jdZu_ 
jF!'{2q
$JFV!/
jmjqj[Q
jNcM<|jFn
jWRTEqV
Jy1lmz1m7
JYeKW)H~N
KbTYX4mp
kcEX2QVz
k(Da+.
KERNEL32.dll
kkkha2nWHu
klLw)<w0\
kMd{jA
KNlDpM
KrTR0Y
kUINp47l7V
ky3oBR
l1|2+7/
@l)3LB
l A#-"
lFjAx7
lG($7<vN
lGD6omF
<#l.>I
l%iZv>
lj{1lnK2
~l{jR	
lLn -Jl~8QwH[
lmz1mn
LneBaWFsZ1
LnGy{IJV
lnz1dp
lnz1Xn
lnzB5W
]lnzb,V62ln
lnzG5n
lnz{)H{1l@|G
LoadLibraryA
LoadLibraryExA
LoadResource
LocalAlloc
?loxXo
lqRa91
Lq_,tg6
!!l[uMO
l%uRgt
luwGg!a
M20RkU
m8Pq^xe
M*$8U{
MB5Isx
{mezI%o
MG4D8a
MGf!`b
mGl!on
^mHcAun
Mh>DSqC`Q
;MKM|G 
mn#|ot
Mnq'\'%
Mnz>un
MO|PSG
 Mq)+n
&MqU)!<u
Mr}_H#y
MrmN64
<$msrX
M!\:U"
MulDiv
:MUr5|p
MxO05,Y
m#\"y-
+mz1dD
/mz1dDp3coI
mz1lm{1
mz1lm{13
mz1lnz1
|mz1n5
|mz1nXD)>
:n7QBl
n\8[T$
Nbhjoe
;ndoB3<	
nE2lnu2lnz1
NesZjM
nHLx@+
NjU<z.=Fq
nkmz1mnz
nMuaNZ
N`M<xqmm[
nO	b7wx
@noJXx
NoLE|g
npx8 >|sN
NSTfDx
(Nsx<4
nuYlnz
nV8:<%n'j
nwhCf$ 
nwiAt-
nx1lnz1l
n_X4T%QU;
NxkHZL
nz1lk{-
nzAlnw#mqz
nzalnzelnz1
nZmzllnzb>(
O7GK1;
o9KR9yG
oEC]7`"!i
o(ER~7pX
oGi!jt
ole32.dll
OLEAUT32.dll
OleLoadPicture
O_T}5Q8
o?tcj3
oUU_G]: 
o<vb]5
p4Dm,z
p9gydVF
Pas2),
pci9rz
PG|1gJ
pI6U145
_~plLUyc
pm2}TWfQ$
prxcDkz9
p\sw%@r
PWP/>gO
pzH[O"
QcdJld
<q~CwJ
q'!Dbt
qDeTgC
@qeoLC,
{QE=uv4
qF{tio
QHQ`(cl
qjdaq=
qL`M/x
{|qNyt`ID
@]Q}omD}
@QQpnz1
(	qqqF
qRAlX\.
qsG7s 2W	
Q|uug=\
QvBb9g
'QvRkL~
q*%vz1l
QwmDAY
Qwo(HE4
q#y"%D
	r6;H}
|r7ik|
r\8dZP
#RD=1 
rG|!~x
:}|rlmn/m
r%-mE6
rn]oX{
rOQbs&
r;q<oJ
rrqswH
rsQij62w
@.Rsrc1
.Rsrc2
.Rsrc4
.Rsrc5
.Rsrc7
.Rsrc9
=R\U(fx
rVu17C
rWihL7s'
rWJTWZ
Rx TKMD
s4lor3c
=:S*9T
SafeArrayCreate
SafeArrayGetElement
SafeArrayUnaccessData
}/+sB>
sCcrzWZr
SelectPalette
SEMx,jM/
s]EQ2W
SetScrollInfo
SetThreadLocale
SFiSbUF
SHELL32.dll
SHevPV
SHFileOperationA
SHGetFileInfoA
sL/Iax
SLx)6U5)
?sN6r!q}
sn`Tpx
*swqMl
. !sWRpx
sYg2akA
SY-h,(pU
SysStringLen
]t3s_v\UY
T6{1l}
	T7nXA1
T8z_>V
taCTkC
$Tdd]B28'O11p6b
[tds?!6
tEIwa:
\%tfI~
!This program cannot be run in DOS mode.
\tJvhS
TMs%+^uZ
Tmz1lnzj
t?u	1G
/$T)x6
u5mLt-
U5ta+F(
"UD{4$tR
UDWEUh
uGNmXmuEq
uGw!qp
}\u$&hg
+uL\_,1
!UNo9Ny,
unOF$q
USER32.dll
UUY9Qa
uw8Xredr
UwTQl4GE
uy9B=Y
=uygEO.
V0(DUe
|V&2ln
v33c42lnz
v36ivL
V547Ac06
V8y1lc
V9OttV
va1zp0X
VariantChangeType
VariantCopyInd
VDl%uT
v<D=r[N
}"vDyu
VerQueryValueA
VERSION.dll
vf4VWR
vGi!rd%V
vGl|ot
VirtualAlloc
vJ""xmZ
v"kZ(.q
vLt%RH
"Vm*4:`VQrl
V%n{1l
vOiZ{.
VovXihkC
vPtj&Q
vUd5nZ
Vw1XQz
vW||pi
[VxcN4/	
)Vy1loS
`Vz1lmz23
)vZ.Wz
w2nLK@R^
W6AV}Wx
W(A\A1C
wCyqtnff
we{;&Mj
wev[~)
W(`h7"z
w(|hik
%Wm	7Tl9
WmF\Aw
WnL|Ix
wsufW2
?wTmxP2
W'w#<e.d
W/y	hBlGx
x(8G^-
xEC3+(
xe/CKe
XeE-C{$x
Xj|Md#
x*$KO7
#!{)xl
xM.6>+z
xn:~]G
X_+nhp
Xo|mxz
`x"%}q/
x@@w}2
xw{Az7>p
y@{#`@
Y1jkLiO
y1l742onz
):y1lc
y1lGK4>}
)~y1lj
y1lmz1m
!~y1loj
->:'y5
`YcUqa
Yc#Yb#YM#Y,*I}l
'yE}aE
yhG's"
yhzsBVQ|
[y#I-&^4<
yinjv6
>YJ!i+
yO5NNZHr
'~y\p{
y>q%Yx
!yshfS
#Yt#LWE
y'u&E-
Y.#Y	6
z1l[$0
z1lnz1
z1lnz1l
z1vnz1l
ZA|8 Jl
(Z_Bco
z!ccax
zCe<]Z
ZcMU^'0*
!&zd>X
$+$zKb
zkuHySD
Zl+%Fk
zQByAO
zqGPqLqsXf8
~zq<Wt
Zrge@.
Z)Ty*E
z>"uz)