Analysis Date2015-01-12 03:06:56
MD588f5c9aa4cd2b36604794d0ddad73404
SHA1c5a0ba93cb840318a9d1ad52584c953174c09119

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 653f0889812e9d81848135f60374909b sha1: bfba3da2ed373701ccbe05fb7092088b099498fd size: 68096
SectionDATA md5: a91b928aa9fb3a3d11e12459e8dd7468 sha1: a580b6653c35b8c7201c1ab1ba8256acfa09f480 size: 1024
Section.rsrc8 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.rsrc3 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc9 md5: 62205162d011fdd719a06ca57068a052 sha1: a9b029fb5cac19a00a6973b45df8dd7fcaa4b0fd size: 138240
Section.rsrc5 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc2 md5: 447deaa9453ec9e4a453c63894ceab57 sha1: 7dbca65a0532ff531286cc9d5abeb8b55b90effb size: 4096
Section.rsrc md5: e63c1782fc5bac2e215666c0458ef09d sha1: a3dbc1e7e803b0541e06429b74ba7ba97a3306da size: 1024
Timestamp2009-08-06 09:03:16
VersionLegalCopyright: Copyright © M S Extrim Edition 2011
InternalName: Extrim Edition.exe
FileVersion: 6.0.7007.1771
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: Extrim Edition Version 2011
ProductVersion: 6.0.7007.1771
FileDescription: Windows Setup API
OriginalFilename: Extrim Edition.exe
PEhashe8657ebdd2a33e8af604662cc9a7175002e46649
IMPhash2d373f4cf9fdbeffc54518c88699ec08
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.5795
AVAlwil (avast)MalOb-EA [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.5795
AVAuthentiumW32/FakeAlert.IV.gen!Eldorado
AVAvira (antivir)TR/Crypt.EPACK.Gen2
AVBullGuardGen:Variant.Kazy.5795
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LX
AVClamAVTrojan.Agent-222132
AVDr. WebTrojan.DownLoader1.45541
AVEmsisoftGen:Variant.Kazy.5795
AVEset (nod32)Win32/Kryptik.IZI
AVFortinetW32/CodePack.CX!tr
AVFrisk (f-prot)W32/FakeAlert.IV.gen!Eldorado
AVF-SecureGen:Variant.Kazy.5795
AVGrisoft (avg)Generic20.ASMH
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan ( 700000061 )
AVKasperskyPacked.Win32.Krap.ih
AVMalwareBytesRootkit.Agent
AVMcafeeDownloader-CEW.q
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Variant.Kazy.5795
AVRisingTrojan.Win32.Generic.1262FA20
AVSophosMal/FakeAV-CX
AVSymantecTrojan.FakeAV!gen45
AVTrend MicroTROJ_FAKEAV.SM2
AVVirusBlokAda (vba32)BScope.Trojan.MTA.01233

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.147.67.142
DNSuol.com.br
Type: A
200.221.2.45
DNSimageshack.us
Type: A
208.94.0.193

Raw Pcap

Strings
.Ws.?....
.I
.6

040904B0
2CQV
4FDn
4rvA
6.0.7007.1771
6u23
AR02bx
CompanyName
Copyright 
Extrim Edition.exe
Extrim Edition Version 2011
FileDescription
FileVersion
gHZS
InternalName
k8YR
LDMl
LegalCopyright
 M S Extrim Edition 2011
NhnzPfk
OriginalFilename
owdC
ProductName
ProductVersion
s0Mc
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
W0B6tP2G
wgzAm
Windows (R) Codename Longhorn DDK provider
Windows Setup API
YMiYb
Ymo7
yOux
zlO6
~}&*=,
(! @(|
$0,5=3
!0Cv~O
|0<{NL
 +0nO37+P6J
0t-sZ=Y
158MPz
1aOxLfqb
|1%Fp@
1'Up.K
20&7=<
2OquG5D9
2Qn'y1
-2snPr
2XlePl
3`=	)4{
35ATY0P
\3\)$7
`{3-9p
3<9=Qy
3j40uw
3jW%I/p
3)LH~p2,
=?.3-m
?,	3_M
3_M	ngO=IIe
3snFdh
3Xgerk
-4,%.,
+$4'!!
4?6	2e
:?4	7e0
4SVpB0
54/T!dA
5_7`?XTnoax/
5E%Mka+
5Ff54A
5/O%%3r
5rIY&S
)5},	t
5v8kr3
;?6	2e
6af5Gv
6BBQzZK
=?;	6e
6eHNt~
6\g7W<PO='B
+6m10$
73<?p%Q)
>78%/}x
7sbi77
7shlwapi.dll
7x,0NBX
??8	5e6
?=	8e4
8%'`F%
8gMogDNs
8L7!u4
<8)#lm
8O|+7ib
8OR&Qcc
"^91<M
9?;	4e1
9?6	2e	
9dyLzw<
 ?"	9e;
%?9	;e5
9|(>m.
9<,%r.7h
9rqzZA
9W@i|Z\
a1OREXAw
<A,~1r'05
A2B%AX
)a?6?ml?
Aci8zc>
AdjustWindowRectEx
advapi32.dll
A-Gnl=$
aIm1I4
AKckhhT
+)A!NH
A$/pqXT
b	@7OO
b7vifB
BeginPaint
bEO;aU
^B$Ep/
bl2MTH
[b}Ozo
b'Z<@/
c1S/;k
c5iY5wv
CallNextHookEx
CallWindowProcA
'\cCOz
CDAVgy6a
CdBIAu
Cg#[Gm
CharLowerA
CharLowerBuffA
CharNextA
CharNextW
CharToOemA
CharUpperBuffA
CheckMenuItem
ChildWindowFromPoint
ChooseColorA
ClientToScreen
CloseClipboard
CloseHandle
\,CO~/
COMCTL32.dll
COMDLG32.dll
CompareStringA
CoRevokeClassObject
cOR#Ism32
,-cpm)0
%_Cq!lolW#e`
CreateBrushIndirect
CreateCompatibleDC
CreateEventA
CreateFileA
CreateIcon
CreateMenu
CreatePopupMenu
CreateThread
cT&@yN
cV/Arp
@#_+d%
~D<({`
`D1}MS
D31SDdi
D'A9>_9
d[@DGY
DefFrameProcA
DefMDIChildProcA
DefWindowProcA
DeleteCriticalSection
DeleteFileA
DeleteMenu
DestroyCursor
DestroyIcon
DestroyMenu
DestroyWindow
Df%l1}
DispatchMessageA
DispatchMessageW
dm|kgo
dml>E%A
D?.){n
DrawEdge
DrawFrameControl
DrawIcon
DU$Qpi
d;x#w!`9O
/*	&e"
(?%	&e 
)$+	%e'
$=	>e:
%?&	"e>
+?'	#e>
e|0a1/s
e_2z)k
"?<	>e8
$'	=e9
eCvH8Qnx2ROA
e@&-F>
eM7I1ekI0
EnterCriticalSection
EnumCalendarInfoA
e|+v9m
EwsJHa
ExitProcess
ExitThread
F/6!)1
<f[7Os
fenTE#k
FgKg0UEFpjn
FindClose
FindFirstFileA
FindResourceA
FindTextA
!f((Lmh5
FormatMessageA
fqDh7=
FreeLibrary
FreeResource
F[vTUoP
G0Nz5w9G
GDI32.dll
<,g/.	(e*
GetACP
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceA
GetEnvironmentStrings
GetFileAttributesA
GetFileSize
GetFileTitleA
GetFileType
GetFileVersionInfoA
GetFullPathNameA
GetLastError
GetModuleHandleA
GetModuleHandleW
GetObjectA
GetPaletteEntries
GetPixel
GetProcAddress
GetRgnBox
GetSaveFileNameA
GetVersionExA
?;gF-(`
gGF8hL8
.g"l8W
GlobalAlloc
goq3f)
gQq0Sf
gTjFWLsG
	gw4tA
gz$`\o
gZW)4bA
h~e=k%
'hf5`/
HH9PWr/iz
ho2(7S
.:HON?+a
hQLHap
hTw9bSg
HVerQueryValueA
!%?}i.
%I++(%),.
I'+$+%
I$+'$&
i"1m1*
.Iken@
+]}i-m
ImageList_Add
ImageList_Create
ImageList_DragShowNolock
ImageList_Draw
ImageList_DrawEx
ImageList_GetBkColor
ImageList_Read
ImageList_Remove
ImageList_Write
,in2/uWT
Io$iek
IsBadReadPtr
iYYsMUp
j3j!j/
j3j}jS
j4jcj!j
j7jBjX
j8j^jg
Ja>z($
JBb@4b
jCjvj7Q
JdFSW]E
']'je!
jejdjN
jevaVB
jF7y\!n/
jFj2j&
jHjDj+
J* I9#%h
jI~a8y@-
j.j5jC
j}jBjU
j@jfjB
j_j'j	
jJjajo
j#j@jEW
j>jJjqjY
j	jjj]R
j:j\jN
j}j/jqP
j	jkj*
j`jLj6Q
j.jVj	
j`jvjv
j#jyjgV
jkj<jS
jlj/j%
JM5mkhPqY
jMjIj1j
jN5kDd
jnj]jq
jojjj jRQ
jpj%j`
jPj'jej!
j-QT6{
jsjaj@j/V
jTj_j>
Jujb0u
JV5Ewc
jVjbjGP
jVj]jk
jWj1jLj`
jwjejx
jWjijx
jWjkj%Q
jxjwjmj|
jzj]jS
k1x1GK~
k8	;xM6
K~9C	3W
Ka3x8cQHB
K-&e$$
kernel32.dll
KERNEL32.dll
KgI1(K6
kHi7,Q
kju{jq
KjyFZ4
KNCNIE
KXi^Hg
L	9Q0o
lcgy9W
L'cji;?
Ldv-AQ
L$+?&	#e<
&;le(P
'?leRftM
LineTo
LoadLibraryA
LoadLibraryExA
}|L@OK&
lT]m;Vq
*luo&.
lV9kEN
LxwnYvB
M7Mwu1eo
m>'87w.
m,cj1H
+'mDPlm
memcpy
mH#8 e/`
^{%mi\
MI`=5%
|m%J1|
'm@;ko
:[mk't
MRkp	a/
MSVCRT.dll
,nA+5*
NbXSCrO
#n.dMl
NE	VhL
NL?HqR
^o3gSRHN
O4`8<%
%o`5.%
O6O? f
o9uk8m
O^9&v]
&O+9WT
O,A:[l(
oDYiFj
oeQWn8l
ogr%gL
OLE32.dll
oleaut32.dll
OpoEo7
oStIhw
 o#ui&}
OWMx&x
o&w`]Y
oXG+*0p+L}7Lv
~p6<wI
$? P7j
P%8WEL:7O
PathGetCharTypeA
pd7&K.&D2?&
PD uq9
{p#dV=
PfxkdB
Phf{Z6y
p?iOWc
PjJjoQ
PjMj V
:%Pktc!
PMz'nEc
POtEJR
(ppee!qk
pvnE~5
PXt,J e\fld^
	pZ>;d
Q5mGtWPO
qH272k
q<&(I_
Qj\jHQ
Qjoj|W
qq6Yaa
Q<#S=-
qthVStYggeJ
Q=!Ui%
.qv%:&E$
%q'YI/
Rd&Q$[
.__{r]e
RegCreateKeyA
RegQueryInfoKeyA
RegQueryValueExA
RGL2d<z
rhx7x6
Rich:>
Rjmj]V
Rjsj9R
Rjyj)V
Rn~OQ%
.R=Nzg
RsjWLLW
&r.SLM
@.rsrc
.rsrc2
.rsrc3
@.rsrc5
@.rsrc8
.rsrc9
RtEXHl
Ry?4{E}
S3wZ4`(
saEJBcv
SafeArrayUnaccessData
SATnBKSI
@s?g_	~v
SHDeleteKeyA
SHGetValueA
SHLWAPI.dll
/~soRw
S_UG)k
SysAllocStringLen
/T2aJe
*t51 %
T&"</9
thDOY,
!This program cannot be run in DOS mode.
Tj-sDU
TnB8Sk
trOjiK
twdfsao
twFoL95u
Tx&Mny;O
+!u9rm
u!/c3&
UIuUZC
Uj7dMJFV
ujebNR
u]mNY|vd
;}*u.p
uR|9Y|:
user32.dll
u+T5(9
Ut,l#z
UW?w_vhuK
v=8kmM
vAvyzaxiew
VerFindFileA
version.dll
VERSION.dll
~VI#O	*
VirtualAlloc
VirtualAllocEx
Vj"jgQ
Vj,j^R
)v?M7K
VwHVvj
"}/w	>
wDzNgS
+WITj$
Wj8j,V
Wj?jHQ
WjqjMR
Wjqj\P
Wjqj[R
wmH7tr
%<WmyQ
	=Wni<U
WN|">&]l?<)
~W(:YU
>|}x8uwW
["X;9r
'xC9'm1
XftC]p
xHwGdE
XiUIwP
xKi>	m
&x;<(mI
XOdk{A]
yb$~3A
@y>Bn'k
]y/cz.zt
+yd@\V
-Yg}N<!
yi W-7
y#j-j.p
Ylcr(UOs
yNdV{tM
y-sk.b
|yV4zJ{
#z_0nt
`z~6{^w
Za3bpA
zD(c>/
Z$e!.I!
ZE%mL_
ZfQTTB
z=``+g<
ZieWHO
z[+i.z
zmR>oR
ZnfZl6
Zo@j0)
:+z?q5I
#zVDeH