Analysis Date2014-09-13 03:50:18
MD54b45b53e2b42b8416102720a05716ac5
SHA1b8c7429e66bdfbe416d5d893352795cdd34279fd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 500f6c7dfca089a53f33eb193b5ff8b6 sha1: f7ab3afc277f9c4b902834d04b483bcb193fde72 size: 64000
SectionDATA md5: 4180f0e72b515bfe0d6d83f7f1d120bb sha1: 829775eb295b5b5747ff10260a63c10411e7a443 size: 144384
Section.RSRC4 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.RSRC9 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.RSRC5 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.RSRC1 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.RSRC8 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.RSRC7 md5: 91983c161bbe230349d1c2dcf61aebb2 sha1: 5317d30fd7628f14f25dd674f643c155fb500dda size: 1024
Section.rsrc md5: 14363390ac3532411998ea4bc539f98b sha1: 82f8eca329dd1a7911e5a754352ccdd51ca5e9de size: 1024
Timestamp2009-08-26 23:17:49
VersionLegalCopyright: Copyright © Extrim Windows Edition 2011
InternalName: Extrim Edition.exe
FileVersion: 6.0.706.1772
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: MSE Extrim Edition Version 2011
ProductVersion: 6.0.706.1772
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PEhash106bcb107d4d131acf1e86f7f2fe50575c54fd6f
IMPhashfb9ace3078e40042964ea6309649a295

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.221.2.45
DNSuol.com.br
Type: A
200.147.67.142
DNSimageshack.us
Type: A
208.94.0.193
DNSimageshack.us
Type: A
208.94.1.8

Raw Pcap

Strings
|R
i
.."
A
O.
.
.D
.J...
.

040904B0
6.0.706.1772
a9Ku
aJ7j
CompanyName
Copyright 
dCfe
eQen
Extrim Edition.exe
 Extrim Windows Edition 2011
FileDescription
FileVersion
frri5
H74V
InternalName
ir4h
LegalCopyright
MoMR
MSE Extrim Edition Version 2011
ntRI
oI7I
OriginalFilename
PJcnZ
ProductName
ProductVersion
qNzT
s6aui
SL1H4
SsYhZ
StringFileInfo
Translation
v1CU
VarFileInfo
VS_VERSION_INFO
WFxTY
Windows (R) Codename Longhorn DDK provider
Windows Setup API
:){03i
	0547l
@|0? P"
1!8sdsq`=yA
1RuovqR
1V:9qCqc
1xB6_$
>#26V-
]?"&*2P.I
2rfvQK
2sHMN0
2y-?q>O
3}9U~{K
3rA.Z;
{4'1oI!
46HZkj
4::B352n
<]4JG(,
4ovLw;=0~<
4Pcjyc
4RwglA
4Vhr7G7
4wK{;C
4XetGFeY
5_%(\G
5IgY0Z
5UNJ1e
6&*)5O
'7;;&:
79DR82
7o1||[>
7=@=Oy
	&7pwE|
7qv9Po
7Vbm)EjQ
82|s5)*
>-8:Qk=Y"
8V4sTI
8VK9?~-
9NayxF
9nYAe1I
9zg01nM
A4m.h6
A>{7.]
-=A7HV
a8u657z
A8UQKW^j
_acmdln
advapi32.dll
A|KtCN
an1$^O
aOjZ0lZULFekP
a:p-N~3z
^\BF:Q
bKyGR|
bLuvh'
b'Lz?E%i
bM<=Ir
Bpnols
b=Q|#|
BV^:M+
b!;|W;	
bwnOXT
byyo>P4
;)C"4 
c8L8iF
C9Q/ff
|[;Cdq
cDyZOTq
CharLowerA
CharNextA
CIK\yGB
CloseClipboard
{clv[#
+CM3O;	[?
?CNOROv
CoFreeUnusedLibraries
COMCTL32.DLL
CQ}?GuBOi,&
CreateBrushIndirect
CreateIcon
CreateMenu
CreateWindowExA
{Cvr3_
cxI);;fL
CxW&B;<
Cy[#/l
.cYq.E
D1F~sa
DefFrameProcA
DeleteMenu
DestroyIcon
DestroyWindow
>D"H]On
DispatchMessageA
DispatchMessageW
dKWBv3
DKyqbz
"{=DLk
&D^OI[
DrawIcon
DrawTextA
D]^,s%g/"
%dsHc)
DZ^ ;[
>ebunWkY
e<J~vo
~E,N[GL
entdll.dll
EnumChildWindows
EnumThreadWindows
E#NWO}
EqualRect
Es8Y5S
E_v\_C
\-|ew+o
ExitProcess
ExitThread
ExLJ@rau
F1C2alr
FdCC2W
~FE:Znh
FillRect
fNpLRi
&FP]ON[
fQgBw*
==;$fTf,
}<]F\TO
\fxMK{
fZ3Ybg
gadNPaI
@&gaN^I
GDI32.DLL
@GE!S(
GetClassLongA
GetClassNameA
GetClipboardData
GetCommandLineA
GetCommandLineW
GetDCEx
GetDesktopWindow
GetDIBColorTable
GetDIBits
GetErrorInfo
GetFileVersionInfoA
GetForegroundWindow
GetKeyboardState
GetKeyNameTextA
GetMenuItemID
GetMenuItemInfoA
GetMenuStringA
GetModuleHandleA
GetModuleHandleW
GetObjectA
GetProcAddress
GetScrollInfo
GetScrollRange
GetSubMenu
GetSysColorBrush
GetTopWindow
GetWindow
GetWindowDC
GetWindowPlacement
GetWindowTextA
GetWindowThreadProcessId
ggmzldTg
G|HV^>
GlobalAlloc
gq<GPX
Gr6u57
g*T,g}
gUdtNR
H[.1|,
H1ISTnRFd
H1|$|L
h8GqQm
hbYm(~!
HDqNSG
hID&m0
|{~HLP
:H:m-0ZK
hOPftP
ibdvY&
iDL43dUR
IIlffv
ImageList_Add
ImageList_DragShowNolock
ImageList_GetBkColor
ImiBbK
.	&ISb
IsBadReadPtr
IsChild
IsDialogMessageW
IsIconic
IsWindow
IsWindowEnabled
IsZoomed
iTUg6g
iw~f"8
j3VX12N
j84HCwv
JA6ZmQ
JiiRIoLe
j`jrj5
j@LA@P
J[WIS"
JX=/T9
#~-\~K
K4IqB/
KA/''L/
KERNEL32.DLL
$KexCn
kFeJbJa
kKzFzu
KLVR6p
k%M:fs
K|*{oK
KPw'Mb
K]Tu;wK
kwWT{*X
Kz;dy\
|L4)@csE
lcIv6V
leUyHTS
LF{"f=:H
lH<QK|71O
LhQv<,
L.I--&
LineTo
liNP#HM
L;=m|F
LoadCursorA
LoadKeyboardLayoutA
LoadLibraryA
LoadStringA
L{OzK3
LP4u1j
lQVE1t
lstrlenA
ltqXzh
LUEDqCPXUSwY
#(L-v)
lV]kh3
lZT?^O
^)M}04
|M;!06Z
/M0bVD
}M_(0Gj
m4A=;qN
m^B}\w
MCzXkGUW{G7WAts
_$M~Ep
MessageBoxA
m=F\S-
m>F]S.
;?m^F/SN
mhzpzBW
=m~I~`
MkParseDisplayName
m>{,m.F
MO{M-i
[m?OW*
+mpcpIu
{@MpsS
MsgWaitForMultipleObjects
MStpcZ
MSVCRT.DLL
M{z*Tz
n2fqj7
nBuD40gm
NcUHbU
nI@^w\
niYLwer
{n;.m>F
@np_BN
NpW>KsGEl?G
nq8GfD2fgpI6
n*rq@.
NuW7bBA
NwhsjK
Nw^KnW
[Nx:Fk7|7
OADxKH
!OciE0j
OemToCharA
o!~eNNo
`o|FuGO
OHG4r&n
oH=l[F
oI'DoR[uO
OiLmObN
OJ8|g#|h\
=oJn#l
ole32.dll
OLEAUT32.DLL
OleLoadPicture
om;{ki
Oo3MNe4wI
oOOcIi
opatVWb
OpenClipboard
oqNJ+Oc
oR44jAXF
OR6e4tO
osvz&+Lr
PeekMessageA
PeekMessageW
pOy4sF
|P|>&,P|]&
PtInRect
P}uvne
PvgKf?~
q1r4Pc
Q8mQ6Mk
Q?8T`=
QCcVOA
"Qg+^,@a
-QiO1B
\q`L>kAaN
@.:qqD
QrDtpn
qrTnuw1u
Q<=?y7
QZsCkN
>r0d7u
r0g-5ITr
RedrawWindow
RegEnumKeyA
RegisterClipboardFormatA
RegQueryValueExA
ReleaseDC
RemovePropA
R>Gwom
Rhhk6rW
ROBgvs
"rp, S
@.rsrc
@.RSRC1
@.RSRC4
.RSRC5
@.RSRC7
@.RSRC8
.RSRC9
Rxj4hM
SafeArrayGetUBound
SafeArrayPtrOfIndex
SafeArrayUnaccessData
SaveDC
ScrollWindow
SetFocus
SetForegroundWindow
SetMenuItemInfoA
SetRect
SetScrollInfo
SetScrollPos
SetWindowPos
SetWindowsHookExA
ShowOwnedPopups
ShowScrollBar
sLPN_/~
~;SmnG
SmySSxO
Sn;FfZ
sp+rx_xs
?SQpi.
S/R~T]S
sTN!kO
s/Ug0Itz
|svdz(Kb
SysAllocStringLen
SysFreeString
SysStringLen
=^TB	"^
~]T}c	
!This program cannot be run in DOS mode.
tiy?~B
|.TJLF
t{+lA|
@T+lm5	>
T]Lujs
TrackPopupMenu
TriwWwU3
TR:O6s
TSM y*
u2[OY.{
u2sKH7
UannCoek
=U#Azp
uDVTO*
UE[3AW
U!Ey)wy
^uFNQD
ug84HPP
uhlE7X
u:+J9};6
UkCYs6
u+?OWD
.uQBO'
uQmkwHrq.
user32.dll
?u~tqS
u,W\'S+
UWvfb2
uYrnlW
uyv!WK
uZh6QLF
UZUb6-
V1w5a7hSkW
v5ATakRA
VariantChangeType
VariantCopyInd
VerFindFileA
VerQueryValueA
VERSION.dll
VERSION.DLL
V`H.96
VirtualAlloc
VirtualAllocEx
vj-3g$1]
vKFrBx
*v	Ls~
vL$VT& 
V^Mn{.
VNDWEl8cC
vNKQMJ
~v?[Qd
V$|qg4
>vqzhd
V=R.7z
w57IDE
W9O5an1N-
WaitMessage
wC5xuhr
Wcb9spb
WGOKPl{VWOn"\l
Wi9Wm}q
WKHoayQ
W-N[)|
}w	N?S
Wq7Dqu
|W;^}Si
W^TR"[^TR4
W^TR Z
WYm`$T`
X3slEa
=/+x6GYY
x9Vg+q
xaKuLW
x ArSP
XEQkh8nV
X}	IeLxY
XiNYWw
XlcQ2[V+
$x~mOA
Xo~f2*
{xp)~2
@X|UCa;MO
_XuC}F
ydTfo!
Y;hn[{d
yHpN5w
{YiFNG
YmJ3DO
y&O@xF
yTzXbq
yVVmNgh
z5GCZ{
:z6-gU}
Z:-9KN
-zgshj
\z_KSp
z`OW*f
z	p[G}#
zqsAnR
Z`$rq O
]{''ZS