Analysis Date2014-08-28 23:56:34
MD5124d96185bc7827f07d0d1e8a5ec163d
SHA1674d7d520661574023b903d96e3ef4c79e3fbba9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 98765988910d68872b0628fcd9871e93 sha1: d35b3a1e420d5c6446273c7eab91226ade3a9a5e size: 56832
SectionDATA md5: d9cc684f753c6f3213378009883a1580 sha1: 2f454a91fa2113c8b89c4605698b8b201528f60b size: 1024
Section.DATA7 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.DATA0 md5: 24caa3f7c0792da55cef7f0dbb83aa90 sha1: d2c6b8694a84568a36f540f18b7bd584b2a7490a size: 114176
Section.DATA6 md5: 05f08aac9daf5a24fbee3d194d08c3e7 sha1: bbbf7f57db8c80a26a5d4b9a281946ecc90f99c2 size: 16384
Section.DATA3 md5: c22691e0da1891e495b473de6c9cb379 sha1: c92548275aeca297af37ff9f49093e746fa02d4b size: 4608
Section.rsrc md5: b7e1b6becca276d94a3dbbcb396fcec9 sha1: 16b902f019e6785e1e249b18b4e3fc0c4cad1b26 size: 1536
Timestamp2009-05-01 04:23:24
VersionLegalCopyright: Copyright © McAfee Inc. Unlimited Edition
InternalName: UnlimitedEdition.exe
FileVersion: 6.0.6001.17727
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: Unlimited Edition Version Ex-2011 by McAfee Inc.
ProductVersion: 6.0.6001.17727
FileDescription: Windows Setup API
OriginalFilename: UnlimitedEdition.exe
PEhash1ef4f695b8d2ae09e10c801867d20ee7c7da1091
IMPhashe87afce7e54b1ab4e40d2db1103022f5

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.147.67.142
DNSuol.com.br
Type: A
200.221.2.45
DNSimageshack.us
Type: A
208.94.1.8
DNSimageshack.us
Type: A
208.94.0.193

Raw Pcap

Strings
.`e)D..
.
S
T^)m
.
U

040904B0
0B2v
11Cs
4jKO2
6.0.6001.17727
bgwc
Ck2Q
CompanyName
Copyright 
FileDescription
FileVersion
fNCg
InternalName
isr8I
LegalCopyright
LMaq4
 McAfee Inc. Unlimited Edition
OriginalFilename
ProductName
ProductVersion
pw7E
S9OU
StringFileInfo
Translation
UIah8
UnlimitedEdition.exe
Unlimited Edition Version Ex-2011 by McAfee Inc.
VarFileInfo
VS_VERSION_INFO
Windows (R) Codename Longhorn DDK provider
Windows Setup API
Z7Iu
#;.^@\
*'@<0!(
0ay/^;
|0G9BN
,0kjT 
0Klvww
0l8bub
0lemoO>
0\uV;5
0Z(SMs
1aDoaw
*1ecT!
1rv-]D
1rV)Mf!
1UhvI:
.1X	Cy
1YT0po
24zJBmEb
2{9g=J
2.&,b3N
2blOjA
2)*gYT
2IB/DQ_
2Mx^0K
2zlbOf
36Aks#+CR
3\6wF:zu
38P}1k
?3DU28
3jv!Xw
\3mN"L
3"MsjL^
3WCvrtW
3YVuid
#44Zwk
4dh.gf
4k1AcQ
4WqJnZ4\qr_
5,]6|:CS8
5CF0j0W
}5d@R{
5lJohY
5)-.^N<
?-5QCH2
,,	.5t
5t5Tm0D1
^5|T}B
{5?x/l:
6Eb8TS
6ef|~F2Q
6gBUjS
!6JF<g?
6LWGF?
6OBxQ?
6Oz*ZI
6wBmTKio7'Q
722GVo
78Vax8
7G3aTULB1Y
^7i%FMZ
?7@/iJ
7Ixz2i
7l<,c~
7l&gE1s
7mRExR8
7u*aV= M@J:~
^7Y%6MD
}?>;8{4B
8|-dz	
8Et(Y/iW
,8|,=G?
8`^)MA
^#8?ps
8uWBRP
8x?oxO
96e88)
.97A+S<
9j/P.b
9WUvAM
A*3lm@
abTq-d 
ADVAPI32.DLL
a}eJh?KZ
&%?a g
aHwc`jF
A|\JZ&X
a>l4J}
,Alh )O{;
 ^<:AN
\AnBI#;
aq3ur3
A\qw^bL
At:=sm
a,VE^;w
.aZtii
B0zf*2
{,B.2X4
(B+7WC
b8onQ(
B-,D>g
BE0(7/
BGV;xh
^BhUwxf
B\h:zC
B|^J]&[
 \BJqR
B|_J[&V
Bjw1*m
bL`*~|
BLgI=[*k
]B;lrb
B\MwCbJ
*bnDC;
BO|$_13
bOx:~m
<!b_pa
B_TK"j
buYztF
B:,vLeE@J5~f
BW96Kh
@C*@ [
C5\C7E
[c"9@QW
C?@aNW
(C+\*F
ChooseColorA
C|^J[&T
,,cJta2
)CK3wpN>ql
cLa*}y
Clx6!-
CoCreateFreeThreadedMarshaler
CoCreateGuid
CoCreateInstanceEx
cOD:U^
CoFreeUnusedLibraries
CoGetContextToken
CoGetMalloc
comctl32.dll
comdlg32.dll
CopyEnhMetaFileA
CoTaskMemFree
CreateBindCtx
CreateStreamOnHGlobal
cT<&^0 G
CwPXl4
CZ3TRs5
CZ]BZ[
.DATA0
.DATA3
.DATA6
.DATA7
Ddh-eOb
dF8BLB
=~`DFh
_dGh.I]
d|J'k>
d|`J}&y
dJYTjO
D\k{:^
dKQw	S
DLm*B-
d "O|?
DoSBLQu
DOTITfh
d'Qf\N-wZ
DragQueryFileA
D|RJP*w
Drpcrt4.dll
){DS^L-
dvV,g+
|\dw{b}
D\]wEbZ
|[e1f7f~
e|:,<5
E7@"*^<
E\^7CrA
E8w6T!<
EA7x8M4/
!eao)u
eAut}hJ
E*]b~>&
"~E.)B
EB(Wrk
ec4<T$
""eD5_
)Ef!fem
+eJ'$o:O
ELA*]X
eLa*}y
(}eLf'kzUp?
EL^*[T
^^!eN3,
EnableWindow
!EnOW&
eO?A%Gr
e'pyTK
&e~.-Q1
es6uQfkd
`e!]TB
e\{wcbx
Ex67MrK
ExitProcess
ExitThread
f8SVtFI
F9<,}5
fahkqI
FBs+jL
FD5z4I
F|DJ^&[
f|eJc&~
f(-g47
FGfziT
fhh.kj
FH[+p`Z
(f,iFJ}I
fj3ST(A}
-fLd-ZOe
FL	x,fOZ
FO1f'N+k
|Fop:E
`fpk>j
F\qwGbN
f\Qwgc
FSbG(y
fskrHj
Fsyjbj>R
fTCPM7
fTdnK1
FTpKFD
Fvx+N$
F@X@+aV*
. +@^fZ
F+,z1B
f|zJx&v
fZN%8 
\{%gBF0g
gdi32.dll
gdL~*zv
g|eJc&a
GetACP
GetDIBColorTable
GetErrorInfo
GetFileTitleA
GetLastError
GetLengthSid
GetModuleHandleA
GetOpenFileNameA
GetPixel
GetProcAddress
GetRgnBox
GetVersionExA
GfwR]J{
ggTQJ9
gLe*c`
G.nu&S8,t
gp<_}O
(gtFc&
gTZM\[(q+iz
gy|rL$
gZy7Ii
h6;.eQ
*h6nER
_h%9M-*l
H)BK3U
*h\fLl
H~I\FhG=Qe
\HjwSfI
hLd*`|
)HLF*/D
HLI*GE
&H>l=jU:t[
&-)hN@(B
h\~]ND%F
HNp!@n
.HOpis
Hpg8Oge9bMJ
HrjtPB
H&W-(n
i6Fe+m
I8~jbR
:i?"~Cb
I^/E\z<
{ifl3`
ILE*^[
iLgV@x
ImageList_Destroy
ImageList_DrawEx
ImageList_GetBkColor
ImageList_Remove
iqT8ZWEv
IsBadHugeReadPtr
IsBadReadPtr
IsWindow
^\Iw_bF
i@}yiy$
?.,	iz
_J<3TC
j4j)j$
 :J6AvLu
j6LT93u
j9j8jGjEW
j?A(5'
j<AgJw
jA#h]*\
~]jA~k*fv/.
j|Awkbi
jbjjjR
jcE?nf
jCjQj_
j(./d<E
~J"GAR
\jghJf&d
j:jBj$
j!j(j&
j	j,j?
j{jjj{
jjjqj&
j`j js
j'jPji
jKjIj:P
&)JLH*
JLI*DB
jlj+j#
jLjwjF
'jO7.gX
jojkj	j
j )rC~
jSj&j@W
jSjvj$
^|[JT&Q
jTY;`1*T
j_$tz7p|rFo2
juj>j~
j\UwkbR
J\uwKbr
j+#\v)
jvJ>o7
Jw|(<E
\|[JW&P
~|{Jw&s
jx@Edz
jxQp2V
`||Jx&t
@|_J[&Y
j&YCCB
]|[JY&W
|,K~@$#~`
K27a?S
k3ILwN
{ K\.`{c
kC4gIG
kernel32.dll
KERNEL32.DLL
>kFo|z
kGrti~"
khTbp.'%B
kiLf,W
K^\N]Jj$[
k>oRf<6
k{T3@_z!
+k||vcw@p
kxTw$G
kzcoi~b
%{K;ZjL%
l-*`$]
l4PJdh0kut
L7+kFf"
L7qh1T
Laz\Nkr,
%l"&C3
L{cF8.
`_^lCU
ld$r~t
Lge*|x
lgGp2k
LGh.BA
l\gwmbd
L|IJD&C
LJ0xrrf
	LJDl{KxLH+
l.jLV@<
LjwFbi
lkJe&|
L	kse@
Lk-VNh)W$
~Ll*|,
LLG*A_
LLK*FD
LLM*JG
lLz:T&7(J
LoadKeyboardLayoutA
LoadLibraryA
LoadLibraryExA
L^RmWbC#
? lRTg
lstrlenA
lTG$rJ
^L\*[W
^L]*WR
}Lx*MI
_LX*UQ
l@Y,g~
}Ly*JG
@L_*YP
LYwobV
{LZ-/~
m}01C?
M^7c%6Mt
m;=aN)
M\AwJb^
mbstowcs
m_COBhz*
m\cwjb`
MD}?jrm
*Me[>D@eOCdX
memcpy
?mf.!5
mg@D~E
#mg=Q~k.l
M-"&Hz)?U
MJzOM8Vp
M`KyH6
MLD*@\
Mm1\S7
mMs>UZ
m[,<mz
\m[NTX:|GV
&~@MO7$tO
MPJ%r%;z
mPw\VGc
MR6gTM1
"m'rT%
m,R~ws
msvcrt.dll
Mt"I_\
MWK"fI
MWqaX24kd
N6uKF3
n8HWOh
\?n9\};
Nd98Op
Nd,|Or~}
|n/DU~T
Ne+U?q
nfl,9Ik_H
n=*hows
!n}IzD
=_NLA{@hw
N|LJJ&K
Nm:L%v
N/oUpC
_N&qR.
Nw+]bvJ
Nx2Hsz
N\ywObv
O1PfN-/`
O8/-L>
~oAz@GuK
;$[Oc^
OC$DHoZ
O`d\DFG6s
o=}fG;
O|FJ@&]
oH1i^	
oHf~.\
\o:__j)9
O\kTwF
ole32.dll
OLE32.DLL
oleaut32.dll
OleLoadPicture
OleRegGetUserType
OleRun
o`lhJf&d
OLJ*EA
OLK*DA
o lmJk&i
"OLs<yqBpM
Om_dHh
ON.zY0X
| #|OO
o=sfM1
!o;T0N
>OT\RL
"p2K;m
pb1u9jIf
PduICj
pf[!$a
P~hjuT
pHtFPu
PjdjeP
pj/ik>
Pj,jOV
pKhB6LkX
p|LJF&C
Pm8hJR
PMrvf0
POP50e2F
PropVariantClear
P.s7d4
PTv|8N
p.,TWq
=pvLN*
,PwR<T
\P@+Ya
Q9rN3V
,)q(AGx=
QB'o*A
Qc8huU
qD`ge|l
q~[|H(
Qj3jgP
Qj*j6W
Qj<j9V
qks+N!
QL"HA$
qnS0Uo
,qOI~N
-QOV~M
]QPuu+~?
":Q_R%
Q/TVS%OZ~{
Q'W{@_
}Qz,($
%R)3UH
(R6P#}T
*R:9e`
R{aONf
RC<k1fA
r~d/\e.
r\}EbdC
RegCreateKeyA
RegDeleteKeyA
RegisterTypeLib
RegQueryValueA
ReleaseStgMedium
,<(rEX
RFj~LR@
RFPJjT03O
rFQ	#6
$RFsTK
RjajYW
Rj?j?R
r@/~kN
&.;&rm
;r{M`r
r|OJK&D
(RO(PJ
^|rS,;O4*p
@.rsrc
@Rsz%^
,R=,Tf
ruTtJL
rVh3}T
r w9@8*k
\\Rw]bS
]s3h>ft
SafeArrayCreate
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayPtrOfIndex
s*B_4f
s,B\DR
*sDOp?qd
s\DwNbB
)SEp/r"
SetTextColor
SgNkJ._X
SHDeleteKeyA
SHDeleteValueA
shell32.dll
Shell_NotifyIconA
SHGetDesktopFolder
SHLWAPI.DLL
SHQueryInfoKeyA
SHQueryValueExA
SHSetValueA
SHStrDupA
SLJ~N'\
sLO*HE
\*sL~wTb]
s#Md@g
smFrPf
%s|mgm`
sO+Nr+
-SOX~O
spT9Pp
sRqJ0Hm
}#SSL.K,
strcmp
strlen
sVbK1o
\swqdr?N
SysAllocStringLen
SysFreeString
SysStringLen
t!30r7TTj
{tb6nw
tEr]OS+
T|_gL!F
=T.GRf
!This program cannot be run in DOS mode.
thx;_&Pe
*t,,IOu
TJnBn(f
:-Tk8E
TLRfPq
TLR*Ql.
t|NJH&B
toaC6;
~T|oJR&/
,TOK~t
tolower
tOz\v|Vj
 t}T7HZ)_
tUNv8cja
TuXdkG
tWE^N_
U1iMLnYow
u5a7Xz
uAj3]lv)
)ub$Pe
]Ue/vD
$U@FP!+
UJ,}Md
UJ.VNV
ULPNj|*d~
uLq*MD
uM?Qu~
UNAiWD2xI
,uOM~r
u|qJM&G
U|QLl=jg&U
'UQz&C
urtek%
user32.dll
USER32.DLL
utsl3nH
:U_tYZ?T%
UU B}o
_u{Y-s
VariantChangeType
VariantCopyInd
vC7R10We3
ve_6#)
VerFindFileA
VerQueryValueA
version.DLL
VERSION.DLL
VF 1kS3>FV~
vFdbFf
^/VG.3*DN-g>nZ
v\g~3xfG
'vg%F,t
VirtualAllocEx
Vj}j	Q
{|vJu&q
VLW*US
VNgcNO
VNhW'T
)VOPz,B
~\/{Vr
V}rU h
'-VRuh
[v;Th]
VU<CQzG
VuMY*VlY
!V}VFb(s
$VvS3>
W(aO9*
wbzE|Q
\w~czd
w)De Fn	gfT&
=W~(fM
wFqBcdf
W{g*hw
w?GzfH
&Whc [&+Y'3
/wI`)Nk3y x
WjgjEQ
Wj jLQ
Wj@j_W
Wjmj6W
@|WJS2~#Lm*ki
wkMUf84PJG4
w;L7~ v
wLq*MI
WLU*Sm.
WOqHrWMeb
wOYy1j_3
wpgxUA
W%R8t<e
w(^Rv,
W|S@c<
WsSsrQ
>WTIsg=
w|tJs&q
'>wU;{
w|uJq&O
W+wOnv
#Wz*L^Qa
-~X\,`
x"1?vs
x3+;+F
xbqA	td
X>CP+ja>~
,);xfG
x>i6mW
\|XJQ*ocr
'X<j"|u|./|
|X.$;@Ju.:
^|XJU2~
^|XJU2u
XJZU6sp
xkT!::
xLJw_5V)g0
x,lk~k
xN-t58
xO['jsT
,xON~y
*?>xP3
X|TJP*l
x|uJN&I
x|uJp&M
XUWK<G?J
xW-gI9B
X,zOo%L)
y0'j./RA
;,=Y3ty:N
Y'7`K1
Y9L&Md
+Y{bbm/
y\cwwb`
y*fB#,
YG6l{#|F
^|YJT&R
y+LFQ5
y%-L)l
yLs*NJ
YLU*Qm.>h
YLV*TR
yLw*rp
yLw*us
	\~ypV
yq85OW
y(^Rx,
_*ytpg
Y?Vwr.Y
YwXkc:
Y\"XzW
*Z?%_?
Z46L.T
z5*klrT
z,bUwcbP
zBzO2\
z|cJe&
;zcL	Lc
z'e;59
z-@eT8
Z\Ew[bB
ZF@Jz,>%*
z`f+TR
|zhV>H
z*.JV"
,z?l}.-d
zLx*vM
ZLY*US
Z*qL|wRb[
z*R;~1
ZRD],:\&_
z|uJq&J
z|xJw&r
$$Zz{g
zZTXC>