Analysis Date2018-02-20 15:05:22
MD5ce0393b9f372db5d8b71557365dafe82
SHA1e3bcb57f34800b9022b08f6fe1d48c8a43ec2f9a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 369adc8d7c516a8a76cbfa42d4cf8ad3 sha1: f3b6a0e85f3f1a2c481adba3fe38093af7dd59c3 size: 197632
Section.rsrc md5: e46fee14d55305478482802130db29c5 sha1: fbfa513825eb934bd6d920fc0cec0cbea7f7bcef size: 8192
Timestamp2007-05-25 14:27:07
VersionCompiledScript: Nhatquanglan
FileVersion: 1,1,1,1
FileDescription:
PackerUPX -> www.upx.sourceforge.net
PEhash511d1e66c59abd56478aca56cde5a213ea3d65e5
AVArcabit (arcavir)Trojan.Autoit.SS
AVAuthentiumW32/Worm.KFLC-8264
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)Worm/Autorun.K
AVAlwil (avast)AutoRun-BM [Wrm]
AVAd-AwareTrojan.Autoit.SS
AVBitDefenderTrojan.Autoit.SS
AVBullGuardTrojan.Autoit.SS
AVClamAVError Scanning File
AVDr. WebTrojan.DownLoader5.12421
AVEmsisoftTrojan.Autoit.SS
AVMicroWorld (escan)Trojan.Autoit.SS
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/YahLover.SJ!worm
AVFrisk (f-prot)W32/Worm.FRY
AVF-SecureTrojan.Autoit.SS
AVIkarusError Scanning File
AVK7Trojan ( 000159a71 )
AVKasperskyWorm.Win32.AutoRun.k
AVMalwareBytesNo Virus
AVMcafeeW32/YahLover.worm.gen
AVMicrosoft Security EssentialsWorm:Win32/Nuqel.Q
AVNANOTrojan.Win32.Autoruner.wuldf
AVEset (nod32)Win32/AutoRun.Autoit.EI worm
AVPadvishMalware.Trojan.Autorun-19
AVCAT (quickheal)No Virus
AVRisingTrojan.Win32.Nodef.dqk
AV360 SafeWorm.Win32.FakeFolder.AW
AVSUPERAntiSpywareTrojan.Agent/Gen-AutoIt
AVSymantecW32.Imaut!gen1
AVTrend MicroWORM_YAHLOVER.AL
AVTwisterVirus.0000@32000800@2FF0.mg
AVVirusBlokAda (vba32)Trojan.Autoit.F
AVWindows DefenderWorm:Win32/Nuqel.Q
AVZillya!Downloader.AutoIt.Win32.1

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Network Details:

DNSsetting3.9999mb.com
Type: A
127.0.0.1
DNSwww.freewebs.com
Type: A
75.98.17.24
DNSsetting3.yeahost.com
Type: A
HTTP GEThttp://www.freewebs.com/setting3/setting.doc
User-Agent:
HTTP GEThttp://www.freewebs.com/setting3/setting.xls
User-Agent:
Flows TCP192.168.1.1:1033 ➝ 75.98.17.24:80
Flows TCP192.168.1.1:1034 ➝ 75.98.17.24:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f736574 74696e67 2e646f63   GET /setting.doc
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   20736574 74696e67 332e7965 61686f73    setting3.yeahos
0x00000030 (00048)   742e636f 6d0d0a43 61636865 2d436f6e   t.com..Cache-Con
0x00000040 (00064)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000050 (00080)   0d0a7366 746e6373 692e636f 6d0d0a0d   ..sftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f736574 74696e67 2e646f63   GET /setting.doc
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   20736574 74696e67 332e3939 39396d62    setting3.9999mb
0x00000030 (00048)   2e636f6d 0d0a4361 6368652d 436f6e74   .com..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000050 (00080)   0a0a7366 746e6373 692e636f 6d0d0a0d   ..sftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f736574 74696e67 332f7365   GET /setting3/se
0x00000010 (00016)   7474696e 672e646f 63204854 54502f31   tting.doc HTTP/1
0x00000020 (00032)   2e310d0a 486f7374 3a207777 772e6672   .1..Host: www.fr
0x00000030 (00048)   65657765 62732e63 6f6d0d0a 43616368   eewebs.com..Cach
0x00000040 (00064)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000050 (00080)   6368650d 0a0d0a73 692e636f 6d0d0a0d   che....si.com...
0x00000060 (00096)   0a                                    .


Strings
..uV
@
."
... .
.
Q
.
.
A=.
K
.
.
.
.
U
A...
...~
.
O.H.
~
.
--..
X...
uj
9E
.E
}k
w
.
..
9.Ek
..
9
.E
..uV
@
."
... .
.
Q
.
.
A=.
K
.
.
.
.
U
A...
...~
.
O.H.
~
.
--..
X...
uj
9E

080904B0
1,1,1,1
CompiledScript
FileDescription
FileVersion
Nhatquanglan
sargen
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
>=;@0=+
]0"(!(
+#0~!{
02X7ILE/&au
02xx:#
\.04< 
,04< '9
04</ O
07hlnw
$0	7	.N
 0c{Pp@
0DI}p'@[~t~
0$'I$}
<,0jK#p
*0Mw{D
*>\?0n
-#0/}*QIA
0rD+f1
0VcybP
 	=_(1
_15:&*E8
$`1<[aOl
1}FA27
1GzD<x
$@1^$h
>:1NA:
1#QNAN
<1SnBi
1UWS;&
20xaa_WLQfH
!> 255
28TgBN
2!  L!
2RGmD	
2"XFki
2?xHw-
3<3/2e
33RH=M
<3|B59
3UB<4x#
^3VxB;H
3x T=;!j
3xtVIO
3z2n1	
@,4406
44s9G$
49|_g-'G
49[+SVsa
49x$uM
@\4A@BBs
4A.\hm<
{4C7S7s
4.cKMGP
4e8q<D
4GHTGG2
4%h4$~
4hbD1(
4IK!Lg
4MsIH?h94M
4Mu]&q
4NCn}U
4N,n&O`4M
#4paJ]
4Q4qd(
4Tf&6V
4TK^M-9
4#TyN2
4uu8@<
~4V|ra
4XL&-D
/4Xu8F0
50fZi@
5$6F5O
?5-73'9c
5CHX<Th
&5&@cx'~
5}DlgC.lcy
5I3?'c@4
5IIDpw.
|	5mxo
5punwcA
5]QPCH
5SQh(m
5;U+VaX
5 yh2HN
69Mxu	
=^,6,BRX 
*6PHj:
6qR;?~^
>6?T$=
6	t]Hq
_@#6_u\
_=6UdC
6u(pw?
6WW@PS
;7~&]|
72KMVxV
]74Y\u
7.%5	B
+789:;<=>?@
7E`BCG
7$E(Q,4
7FrqH3
7HardL6kW
7&i@4L
}7'<kSf~
7RhTA!
=7S/$%WA,.
7<*<Tl
7"tt Expj
7Wtgx0
7X1@MT
82L`aa=PLN
>86*ET_
876rrrr5432
88xv7-c
+8f=Nh
 "&-8j
 8J5H	
*+8p$9
~8v"mO
8YZDu\
932Lu&
93<=f?
93:V`"tj
9:50:3
#$$%&'()9**9+,-./
\9999`dhl9999ptx|
 9d*;O;l`
9G uAS
9Hv(SR
9Ib1:4
9?J^nV#J
9Lv?Rai{
9Q QZ.M
9Q<Z6~
9QZ^&j
|9r(t^
9UX?E\
9vZ'P6
9	xMd!<
9/zIu@
A0ZW@ci
A]98tgA
 aAeEiIoOuUyYnN 
@,aCCq=V
ACiLs@
Ad-}`^
a D160
ADVAPI32.dll
A /e^X_-/
ageBoxA
aH"d2l2
aiXH9bI
%a|m>$
\}+am;E
a?MhbN
"an07e9c9
anaeluguaT][
aNi]JW
ap1WVvP
@ar,\i
AS`AtPk[d
ASC 70EF5&0
</assembly>
	<assemblyIdentity
			<assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
aTgqEm
AU3!EA05
AUTORUN INF'
_aYSOM
"@B (\
b4:q-H
b8s[eau]x
b\Bzie
"bd<Hxf x
b&Dqup
bdSR\l
"b>~h?
BK<Gx(
Bmo~ th
)b$O#p
brac0)Ln-
;brD$:
-|#;bS
+`Bs3Z
b[t|h,!
bTkRN3
BVPVq(Ll
!bVWv4
b*wjFQB)
:b)x(<
b. X=O
/C;]|~
C(}1!0Q@|O
@`"c$3
C!5/<8
cab>ld?C
ce/sco,.dllB
Cg$(Im
Cgw9vtq
Cj~-0V
cM}g:~
%>CMP.D9
;C%&o%&
CoInitialize
COMCTL32.dll
comdlg32.dll
CorExitPro
CS5qt/S
csQ0QA/t
#CTRL 
cu?F;Jr
CWBB-z
_CwK(l
D:/+ ~=
@d7o	8
'@d9At
DbB2C2
d;ebCr
dehqlt0
	</dependency>
	<dependency>
		</dependentAssembly>
		<dependentAssembly>
	<description>AutoIt v3</description>
dF`V*-D{5`LE
D!h(`!
D~Hv`G
DiskfS
dk\MisA
`dlPeB&
?d_n[C
DON2(}
DragFinish
dr: pPv
Ds":tu
@/*dV=
dVd;pr
DV%Fy>L
D*Wt!C
dx?|0{Zy
dXK480e
dXPD<-Q
}dY5E|)
e@+ \,
.{E2f:p
<e6tl:H(
e6X`[K
EA0yw+frb
eatina DEF;g
EfBV"Ld
Ef`F5`
&efX<B
,E	hh~M
Ehu{x%
EJ|I<R
E$j	Xv
enNEWLI
eODSCA
E<op_Dev
EPtetX
@@;E$r
Er90BZ
ESN	;v
eTp(tMg
ExitProcess
,#F ;'
\#F#4n
_F=4$pa
	F\7oF
FAJRTI
+fE@V1+
`f`f`f`f`f`f
`f`f`f`f`f`f`f
f f+G<
f`!Hl1
{F,)}L
,fMnf:Y
FOUND   000
`ftEow
,>Ftfz
FU4u2&
f UTF-8pde)
[?FV;-
(FvU0LSj
FWP'E'X
fX*^f`
(g3>* 
{=GB9B
GDI32.dll
GetProcAddress
GetSaveFileNameW
`	@GFQM0
?gG;X[
GHIJKLMNO+ l
Gh)Z7OJH
GjrY9 
gm:_6t
g>m: -d
GNbalM
gsW2aSs|
>Gu4:*#
`#Gu_M
Gurmuk
>GWw0jCl
GYB0<R
_[h;/4
)H4[OeL
h(8Hj*:
H}AU3!EA05
HCqd/d
/@hd*x$t
|h D^$ZM
HHu/H(
h.h,v 1.1 2004p/
HK);#j
(.Hl\%
HlIk3!
[HL	@]w
h_O;_:
hpu70%d
h)pVO4
hr1XC(
ht5qB9
ht lCn6
Hugnod
hvRF14
"h.WCQWbr7H)
},,| i
i-!*`/}
i<0Kt)
i49!	$
i4k!Vr
/~i9Kr
I9MNWl
ICe%`e2|
:`IcZ_
	<!-- Identify the application dependencies. -->
	<!-- Identify the application security requirements. -->
` $Id: q
I.e5\i
iEVwVu
iGS:rC
iJRKR>
ik3_K H
*> iki
I!l2j 4
i_Legb@wB
ImageList_Remove
i"m tn
inconstw
IoC<H2
i<!QpCP
iS3O:0Zm+
itn6:w
i,ve}#19
J[>  $
j\0?sC
j,61vT
jc^>-^h
jdqVmf
JFebMarApr
jf(FCo
jG*G?|
JjhQsM(
"j'l!m
JmCf.V
jn?tc{
J/Q4j<
jQ<U@RT
j ,rLXK
JS6h%Mx=
JsZ,0^Q
._JT<T
j]V)UK
j[VZiF
jwA"8<G
Jw+pj(
j$Yj`CwB
j)Z2I68B
=^k4dm
K7&#cT
KERN	9p
KERNEL32.DLL
^kfS^<
kg4dpf 
Kg+wVm]G
|KHIT!
kK8lSf
k~py'Ma
kU^)Q.
kUrlW'Qu
*_Kwv%L
Kww8Fjx
kW)xVF
K"X5"7SvR
+K"Xt"57
l05_f;
l0bg'N
L2zF4b
l[?37Zd
L<3HZ!
l}79=B
L9] tG
				language="*"
lAugSepOctNovDe`O
					level="asInvoker"
l(`_^f
l[@	{fD
(l#hm ~!
LineTo
L<+J+R
lkE7p,
lkoew_
?[/LL)
LLAUNCH_APP2
 lM<F4[
LoadLibraryA
LPT\0<
LPw|7uX=
!L]/QA
^LS[KC
=_LszS
<l`TH<
l! &tiv
,^lu=6:
+lU7[&.
]lu89d
~Lyt2i
lZSCL;C[Mk_c7PG
m*2Ct&
M53q$vjj
M9VRMp
M$dB>|
m&|^g/
mGL7d&
mGS#Fe
,M>)H^
mKF(.ximskw7
ModuleB
MOUSE_XBUTTON2
`M@&@&p
mpilgw,k
m-,$Pln~
MPR.dll
,Mr}yW
MT~J,x
@mtPt+
~!m]w'
mwe~ys
^Mz=_[
mZoo E:R
@N2LM,\e
"n+$"2!V%
)N4N4@.9@
#'n5DTy:6
	    name="AutoIt3"
				name="Microsoft.Windows.Common-Controls"
NbCBjA
NBKl\3
Nb Qnk
Nc&CA;
nh}*~%Y
	\Ni ]
|n "IXI
njSMtE
N~N:P<
|nnW}o
,N#rH^
(n^"s4#m
NsO&(C3
	>nt&9f
=nw&szNH
O       
;O~0f::CS
]o=#3+n\
O6\/	{
O6\M+v
oA buf
]OAddrV]
{OBvL.
Od&LHh
oh\De"H/
oihoe*M
.O/Ivk
ole32.dll
OLEAUT32.dll
>o>o.A
(optiona
o"pViewOf
Ot8jZ0
oVFiy(
ovI`py
OX-P`GOU
p0Zzip"
P( 1= 
p4af8'
@p4L.w09
p4S]_^
P'9qhh
p-|b%S
)|PD3S2I0H
p<d9Y"
/pDk)V
p<D$.+m2LP\
=P!e@u
*`PF	j
(?PGBurx
PGYPS?
pHX7[w
P{kG!G2M'bb
PM(8PX?{
	    processorArchitecture="*"
				processorArchitecture="*"
PSSOkA
PTq\$H
P:tT,i2
p'tuvnh
				publicKeyToken="6595b64144ccf1df"
p'.#W,
PWlP)4
\PWVWl
pY89Ms
PZ0h/ 
Q\|00XRWfa
>QDfU]D
;<Q@]DL
`qdlLte
Q~\fN&D
%q I0o
qkL_F5
[qlW0O7G
qM9sP!
q<}pD%
*QP!xo
q'rS&Nx8
qrstuvwxyz[\]^_`>
q}rYy 
qW*PW2y
-$,/qx!
 (!%!r
r1~L<@
r32E?N
~R$4nD
$#R6029
R6id#$
r9<@DL
R!b@r1<Av7<Cv)<Ev/<Gw!
*Rb(V:P
r\bW.N
rdv6GX
Recychin
RECYCLER   
RegCloseKey
				<requestedExecutionLevel
			</requestedPrivileges>
			<requestedPrivileges>
R<;F4u
|Rgp Q
RKusi`
RLK%EXh
(RLP{f
"roJ^@
RUBIAS~1JPG 
RUBIAS~2JPG 
RUBIAS~3JPG 
Rv<U8aG
RzA9E7
--s=["
:{s$!,
\.`\?s[
@_+!S2
=s2VNQ
s4?Wsy
&s5SrC
@	S7i<Q8
's_]8j
s.ak[bS
S$|C,43
sChT3 2
s$-c!N
SCVHOST EXE'
		</security>
		<security>
S       EXE
S\g is not followed by an _{3
sgW!h0
SHELL32.dll
/SHIFT(
sHx-b$3
SJidBr
.sJnfS
S`~L(A
 So+ f
|std5puB0+xlvi
)su0l\
&_Sw}}
Sw`f`f`f`f`f
SWmP- o
sxCskK>B
T00@@>
t69~$u
%,t6H0
T@7p/[`r6
@='t/B#
tb1n+M
tb	+	a
tBs"S ;
TD&DH(
t*fID|
TFxHEcB6
TH4B_)u
!This program cannot be run in DOS mode.
~thLog
t$I3/69I
timeGetTime
t+"jB^
t>Jt3JuF
^T:l;F
-tM749
TNrXJ%
Toolhelp,SnapsholS@
tp0OpII`
<`Tqt>
t	r!]C
tRuMG+
	</trustInfo>
	<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
~`t ~S
-tt.t`/~5J
t:t"<u^
Tt&)|Z
TueWedThuFriS
tuvwxyN
 =@TwD
TXr0si
t_Y4@(
	    type="win32"
				type="win32"
u(1Zo)
u2pe2.
u?5u	/$FF
UAbaRy
<u/ci9;
ucX['/
ue&d>M
uFFNKR
#}UF"lQ
					uiAccess="false"/>
uJs!58
;UkrvW
 ul29~
u?Ohxpq
#uOouI
USER32.dll
usZ-Dec
	':}UT
uv1(,v
uV38p)f+_
uv`H1j~
u/Vj)$
:UW31"y~
uyxozQx.Xe
+$.`><V
>v{2ww
v4oi xb$T
v 9`},
V`\#9#
VC20XCJ
V       CMD
=VduFYJ
VerQueryValueW
	    version="3.0.0.0"
				version="6.0.0.0"
VERSION.dll
v*H<?tZ
vh/%]%X<Xn
VirtualAlloc
VirtualFree
VirtualProtect
Vk\ScD
&v`kwo
V_logE
vL*u-m[
@vnuo(
/;VoFP
%Volu|
VP4Tao
VPAPc'
vPfDdf\
v	#(qS
/Vqyjr
vrrACPgR/
*VS/A%
V$SueV
;Vv	N4
V.+'W]
-+Vx_9&$
}]}Vxx
Vyj!V 
w3*XQZ/
w+4[fR
^W6>{[
(w$~'"8
Wa,Vb9JZTe
\'W$Bbm
"WFFi	
w_G/C#
WINMM.dll
"WJ]&Q
WNetUseConnectionW
/%&`w[NH
(@WO*)
Wp8%ZllW
=;w s1
WSOCK32.dll
^WSoS_
WT5W]-W
<w(v.$!
W|:;V"
\WW!~,
<?WWSc
WxpHtcH
w[Y)W'r
x02Sfc
X?6pMT=
X9~\ug
:xBJ}4
+XD]WV]q
{>x!^E1
xh4y;h
x`h+7-V
x@HC<p
xhdc7'
:!;-~XI|
{xko(>
[Xkq K
xlI)^hG
&XlWx7Z3t
xm2@@kgC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XMoJPCZp
XPTPSW
X(P\,~W
xR=`CH
x[.r*y
xt$@"7
XtMdtH~j
|xtplhy
`xUbb_
+)x"V*W
X} .x>
y"!' 	
.Y21/Au
&y3I9G
Y$AC'`
ybcdef
	yD , C
yd`\XP
YHHFD{
yhLD8,
;&YiUg
Y#O_\	
yP8'pW
ypdXL@
yPtbkr
yRu>xP
Y[tns6
y[%UL&
y)v	!_HD|A
}>Yw\;
]ywtvW
yXL@<8xz
YYg3W0
yz{$-%y
z3Dt?j
Z7\377|
z BB}t(
:ZD`Zx
]zF&lO:u
z_F{@vp
Z!J{ME
>Z!Key
Z.NET RK
ZoshZw
z"$P g
Z:qS+o1
zSi*Morujx
zv9.76f
ZY&&AF7
Zy(Xp:
ZYZ_NX