» osrootsyntax.exe
Overview
Analysis
File Details
Behaviors (1)
Network (2)

osrootsyntax.exe

The application osrootsyntax.exe has been detected as a potentially unwanted program by 18 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 41835 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address r2.ycpi.vip.ne1.yahoo.net on port 80 using the HTTP protocol.

File name:

osrootsyntax.exe

MD5:

320a9cbac4d9496b04785716f4154a64

SHA-1:

65aee0fbbe55dd0f9f37705fbbe1263f1e17cb7a

SHA-256:

ff20403addd9e57e68742f540b8035a4cf8c40a9ac75b7b08db88d0da5885d75

Scanner detections:

18 / 68

Status:

Potentially unwanted

Analysis date:

4/18/2024 11:55:24 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Generic.845070

824

AegisLab AV Signature

W32.Expiro

2.1.4+

Agnitum Outpost

PUA.Pirrit

7.1.1

AhnLab V3 Security

PUP/Win32.Generic

2014.10.31

avast!

Win32:Adware-gen [Adw]

141025-0

AVG

Adware Generic5.CHEH

2014.0.4189

Bitdefender

Application.Generic.845070

1.0.20.1535

Clam AntiVirus

Win.Trojan.Application-662

0.98/19574

ESET NOD32

Win32/Adware.Pirrit (variant)

8.10646

F-Prot

W32/A-6ac1df44

v6.4.7.1.166

F-Secure

Application.Generic.845070

11.2014-03-11_2

G Data

Application.Generic.845070

14.11.24

IKARUS anti.virus

PUA.Pirrit

t3scan.1.8.3.0

K7 AntiVirus

Adware

13.185.13853

MicroWorld eScan

Application.Generic.845070

15.0.0.921

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.3.2

VIPRE Antivirus

Threat.4150696

34232

Zillya! Antivirus

Adware.Pirrit.Win32.8

2.0.0.1974

File size:

303 KB (310,308 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\biosdirectxscrolling\osrootsyntax.exe

File PE Metadata

Compilation timestamp:

9/23/2014 7:55:50 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:U7VmMvAdtL2fyQtQN3X+1ZkWd/OGmDGlxxi:sVm+Oc/tQUZvxxi

Entry address:

0x1DCD9

Entry point:

E8, A5, 04, 00, 00, E9, 63, FD, FF, FF, CC, FF, 25, 44, 91, 43, 00, FF, 25, 38, 91, 43, 00, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, B0, 7E, 44, 00, 89, 0D, AC, 7E, 44, 00, 89, 15, A8, 7E, 44, 00, 89, 1D, A4, 7E, 44, 00, 89, 35, A0, 7E, 44, 00, 89, 3D, 9C, 7E, 44, 00, 66, 8C, 15, C8, 7E, 44, 00, 66, 8C, 0D, BC, 7E, 44, 00, 66, 8C, 1D, 98, 7E, 44, 00, 66, 8C, 05, 94, 7E, 44, 00, 66, 8C, 25, 90, 7E, 44, 00, 66, 8C, 2D, 8C, 7E, 44, 00, 9C, 8F, 05, C0, 7E, 44, 00, 8B, 45, 00, A3, B4, 7E, 44, 00, 8B, 45... 
[+]

Entropy:

6.4525

Packer / compiler:

PEQuake V0.06

Code size:

220.5 KB (225,792 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:41835/

Local host port:

41835

Default credentials:

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to r2.ycpi.vip.ne1.yahoo.net (98.138.81.73:80)

TCP (HTTP):

Connects to r1.ycpi.vip.ne1.yahoo.net (98.138.81.72:80)

Remove osrootsyntax.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.