Analysis Date2014-09-23 00:04:16
MD5df8173bfe94247d59efa92fd731e1977
SHA1d5557056a897bada15db1f367be5f7a1d8e5c312

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 95897d814fa6a9d0b748cf3060f7439e sha1: 7f579f0fab65a91db1e87f9daf0c1ab169a5cb14 size: 46080
Section.data md5: b1f767f3ff397cc8b8a21ae593a57d17 sha1: ffd2b73d3a83a868b021d6627b922b437c8e1c94 size: 1536
Section.data1 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data8 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.data4 md5: de9d8464de81a55c7ca1fb7c0408fbe1 sha1: c9f045a8a9cbbbe6d8b417309923f6ee40354bed size: 136704
Section.data0 md5: 2fad4a2e6bc03340166a571762954abb sha1: b47cb32bda761c6ab6414fc0e56642c74de12d38 size: 4096
Section.rsrc md5: 3e955395b22d07fab5bf81fd4b620269 sha1: cc4e1fc025ae1d7c1345c74b466847dda689ee33 size: 1536
Timestamp2009-09-18 00:28:55
VersionLegalCopyright: Copyright © McAfee Inc. Unlimited Edition
InternalName: UnlimitedEdition.exe
FileVersion: 6.0.6001.17727
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: Unlimited Edition Version Ex-2011 by McAfee Inc.
ProductVersion: 6.0.6001.17727
FileDescription: Windows Setup API
OriginalFilename: UnlimitedEdition.exe
PEhasha9dbc7472f7972e1a8e81d870b7f92c8ee1e81fa
IMPhash1114061f794b5901fcde02cbc8d0fc65

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ozysaa.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates ProcessC:\WINDOWS\Ozysaa.exe
Creates MutexO5EAZCO1OX9RTKDO

Process
↳ C:\WINDOWS\Ozysaa.exe

RegistryHKEY_CURRENT_USER\Software\Z30KYPG3WS\OluE5 ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexO5EAZCO1OX9RTKDO

Network Details:

DNSuol.com.br
Type: A
200.221.2.45
DNSuol.com.br
Type: A
200.147.67.142
DNSimageshack.us
Type: A
208.94.0.193
DNSimageshack.us
Type: A
208.94.1.8

Raw Pcap

Strings
|
.
.
.7..
(
4
g
.
..

040904B0
6.0.6001.17727
9mdTo
9qcl
BQid
CompanyName
Copyright 
fexp
FileDescription
FileVersion
FmHB
gSxQ
I2XO
InternalName
kHNo
LegalCopyright
m42s
 McAfee Inc. Unlimited Edition
Nvwu
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
u1ja
UnlimitedEdition.exe
Unlimited Edition Version Ex-2011 by McAfee Inc.
VarFileInfo
VS_VERSION_INFO
Windows (R) Codename Longhorn DDK provider
Windows Setup API
Zzr2
0QCHqgk
0#-T;EV
0T+Y/T
0wM[Ra
1C1cNN
1=ILgi8
1sw}Op
1Ug:K^1Gb
2	2h+6S
">283Q
2rK)^R
3kNkNkvH
3O6Uao
4<zpxR\
5PQfIN
5Q9JZE
;656[^
^ 6NHp
6nHTIh
\7Gm?8
7HV/;RWW
(\%=7Xi
84EbRR
8fuHqS
8qsfXV
8sZ,rl
8? Yu|
90MyciQ
acGkIIFX
ADVAPI32.dll
AO	2"5
 ~aVl1
AVLWurX
b6,0Ay
b9cv1e2vfh
(bR*J/'
:{%B	s
BuItsVnm
c9Y4zU
CAaEEVL
Ccda2X
ChildWindowFromPoint
ChooseColorA
CiYNsy
CoCreateGuid
COiYCr
COMCTL32.dll
comdlg32.dll
cOOYu y+
CoTaskMemFree
cSMZzC1zJN
`.data
@.data0
.data1
.data4
.data8
dF_0!b
d.MH1j
DragQueryFileA
#/DSFF+@
DT1qz6
eaRF@s
EbKGfE
EnTOw2$
ExitProcess
ExitThread
f%3/nR
FindTextA
!fqB"^
F-]Wn2@
fw(wRQ
<F^zKI
g7=Jjem
gdi32.dll
GDy01A
GetCommandLineA
GetErrorInfo
GetFileTitleA
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetModuleHandleA
GetModuleHandleW
GetOpenFileNameA
GetPixel
GetProcAddress
GetSaveFileNameA
GetVersionExA
g\O|5A
GrFfpS
Gv52BY
hbjfgi
hBlFIL
hcApsDa7
hgTJnM4T
hqbTOJ
Hr2b\?
HtsYCSFRdU
i3s1vpo
i,Bq/w
ic<Efkp
IC,mVq
IERSGes
if!a:L
IJ7eRu
_IJ\im
ImageList_Add
iNP#pN
ipCR1hCy8
IsBadReadPtr
ItaC91dB
}iz^j 
j	~0Os
j5jXj/R
j6j4j5
~j7nMu
jbjjj,P
jbjRj!
jDjPj}
jfjvjq
JGAMHYfE
jgj4jB
jGj[j~Q
jhj)j`
JHO1jD
jHPimb8L
jijdj*W
J&J=1c2
j!jajQ
JjeRK"
j(jFjA
j\j,j6Q
j+j'j@P
j'jQjBj	
j\jRj)
j|jwj"
jNj2j|
>J:OG+"q
J&P|'Bm
J<pTO&-v=
jqj$jNj
JQvAULK
JS3\#a
jSj7jbQ
jSzf Q
jVjHj`Q
jwj"jhjdV
:kBdO	
kernel32.dll
KERNEL32.dll
keYyfxf
|/,kgK
KJAYqIYL
KoXmphm
Krvo2Y
L17pOZ
	l8T01
l9_6@0%
_leO&9Bk
LoadLibraryA
LoadLibraryExA
LocalAlloc
lOMkTt
lstrlenA
LWIKCG
/M5\oh
MAOOHI
MkParseDisplayName
Mlv#Fk
?MR@CMh
mrTZidt
MSVCRT.dll
m/	#;^!XO
:$"NH&
nOAI37
>NVX>%
nwLX7l
`NWqGD
o	`+_-
	|}>|o2
Ob?>#]
OB`9:K
Obh7FE
oCax5iy8qP
ocDr78B
	ocQ5"
"\O/E[I2
ok^	zO
OLE32.dll
oleaut32.dll
OLEAUT32.dll
o"]Lxu
OmeeI37C
OPV' A
O]SR?d
OvhPuf
,Ow\IN
OxOa`c
o\/ZM3
p3LDBx
-"*p=7*"_7
P/81&F/
PathGetCharTypeA
PathIsContentTypeA
PathIsDirectoryA
pbtaEXjqp
PjHj{W
Pj=j7W
prOHfvI6n
ptDzAx
ptii3a
pzZz30
q2S0A3
Q2ypre
Qb8b)Y}
@qdCG;_
Qgd1bC7Yd
QJORAvBcm
QjVj?Q
qK0bw7a
q,[Mt_
qrjwbLT
qWdjNZ
qzdYKZ
r7AMuh
r<	B,\
R<cI|6
RegCreateKeyA
RegEnumKeyA
RegEnumKeyExA
RegEnumValueA
RegisterTypeLib
RegQueryValueExA
RichQxw
>r<;iV}
RpYGKs
]rR+"Z??
@.rsrc
r&Zdgwv
s2K_qO
S:}4S_
SafeArrayCreate
SafeArrayGetElement
SafeArrayUnaccessData
sCbJ8gj
SetBkColor
SHDeleteKeyA
SHDeleteValueA
shell32.dll
SHELL32.dll
Shell_NotifyIconA
SHEnumValueA
SHFileOperationA
SHGetDesktopFolder
SHGetDiskFreeSpaceA
SHGetFileInfoA
SHGetFolderPathA
shlwapi.dll
SHLWAPI.dll
SHQueryInfoKeyA
SHQueryValueExA
SHSetValueA
SHStrDupA
sOQ9lv
sPbMhB
.S:p,K
sprintf
SysAllocStringLen
SysReAllocStringLen
SzBRTWq
{t; AY
TCqV'e
t':!|f
th7	CYl7)Im
!This program cannot be run in DOS mode.
To "$z
'TUF{C
Tv6LXH
u62P0y
[U:d4s
Ueb+J 
ugkn6t
uLUXCYmy
uMRphyl1
u`O7<#Er
}{~UqNX
Uq#~z>
user32.dll
uSO^6I
uuG'^L
UYOOAO
V0mi5w
VerFindFileA
VerQueryValueA
version.dll
VirtualAlloc
Vj1jrR
VjjjAQ
>vkC{P
vO&i	'
VY)8x-
vyZT1Qt
v&;z/.AB]
W0L%>4
wbQxtP
wIrpcrt4.dll
WkERez
Wm9zfK
woC\es
$(,wVR
/=wyJp
@W	Z=	k
xBg!oY
xdEmoj
XEoLBa
XFTrkycl
XJks7qZ
Xq?c49J
xQhIlJ
y02O:m
y5eJIN
;z16h~Hx
z'1vb3
Z3RrmG2
ZAyv5N
Zb5UuFY
zdl;U+
Z\#"`f
-ZFFW8
ZH30VM6M
\^`zo<XM
z,P}?P'r
ZQiSscP
z!r58.
zsQHIfd
ZYJNR3