Analysis Date2014-05-21 18:49:15
MD56e59a443e4cd870bfece774c601c50f1
SHA145ce0e2bee08d95e40e376849c9324e6af1f57d7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 97459e62cd016c071f5b64db61346661 sha1: a991ae2f0f94b1c4c81927c62f4ef0e63253b8e4 size: 122880
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 03c492a24f987ddd4517a134071618fd sha1: f59c162aec34a4fc6d62fbd09f2ecd267176d243 size: 118784
Section.2data md5: abc6665205cad20d51f714abaf0da889 sha1: e53cce6c8614b7ab4da5b72da0c010f78cfe2a40 size: 61440
Timestamp2008-01-22 10:22:14
VersionInternalName: Eset Login Viewer v1.2
FileVersion: 1.00.0009
CompanyName: ForumW.org
Comments: Developed by avi01
ProductName: ESET Login Finder by avi01!!
ProductVersion: 1.00.0009
FileDescription: Get ESET Logins!
OriginalFilename: Eset Login Viewer v1.2.exe
PEhashe34174cf13cdf99cc8d734f49c02e22605bba09d
IMPhash572ea0886baee73fb8b06601bcb38e74
AVAlwil (avast)Kukacka:Win32:Kukacka
AVArcabit (arcavir)W32.Sality.V
AVAuthentiumW32/Sality.AJ
AVAvira (antivir)W32/Sality
AVCA (E-Trust Ino)Win32/Sality.X
AVCAT (quickheal)W32.Sality.R
AVClamAVW32.Sality-27
AVDr. WebWin32.Sector.5
AVEset (nod32)Win32/Sality.NAO virus
AVFortinetW32/Sality.AA
AVFrisk (f-prot)W32/Sality.AJ
AVF-SecureWin32.Sality.2.OE
AVGrisoft (avg)Win32/Tanatos.J
AVIkarusTrojan-PWS.LDPinch
AVKasperskyVirus.Win32.Sality.gen
AVMalwareBytesno_virus
AVMcafeeW32/Sality.gen
AVMicrosoft Security EssentialsVirus:Win32/Sality.AM
AVMicroWorld (escan)Win32.Sality.2.OE
AVNormanwin32/Sality.BBYL
AVRisingWin32.KUKU.ky
AVSophosW32/Sality-AM
AVSymantecW32.Sality.AE
AVTrend MicroPE_SALITY.EK
AVVirusBlokAda (vba32)Virus.Win32.Sality.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Administrator914\-993627007\1768776769 ➝
28
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Administrator914\A1_0 ➝
3432392762
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\WINDOWS\SYSTEM.INI
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFBB75.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexmonitor.exeM_1156_
Creates Mutexservices.exeM_616_
Creates Mutexsvchost.exeM_1028_
Creates Mutexsmss.exeM_492_
Creates MutexWininetConnectionMutex
Creates Mutexsvchost.exeM_816_
Creates Mutexlsass.exeM_628_
Creates MutexOp1mutx9
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexuserinit.exeM_236_
Creates Mutexspoolsv.exeM_1312_
Creates Mutexalg.exeM_1856_
Creates Mutexsvchost.exeM_1216_
Creates Mutexreader_sl.exeM_972_
Creates Mutexexplorer.exeM_324_
Creates Mutexmalware.exeM_1208_
Creates Mutexsvchost.exeM_1140_
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexnet.exeM_1112_
Creates Mutexcsrss.exeM_548_
Creates Mutexsvchost.exeM_860_
Creates Mutexcmd.exeM_980_
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_1120_
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexnet1.exeM_1068_
Winsock DNSwww.for-ever.cn

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates Mutexuserinit.exeM_236_
Creates MutexOp1mutx9

Process
↳ C:\WINDOWS\Explorer.EXE

Creates Mutexexplorer.exeM_324_
Creates MutexOp1mutx9

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutexreader_sl.exeM_972_
Creates MutexOp1mutx9

Network Details:

DNSwww.for-ever.cn
Type: A
208.73.211.245
HTTP GEThttp://www.for-ever.cn/nod32/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 208.73.211.245:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6f64 33322f20 48545450   GET /nod32/ HTTP
0x00000010 (00016)   2f312e31 0d0a4163 63657074 3a202a2f   /1.1..Accept: */
0x00000020 (00032)   2a0d0a41 63636570 742d4c61 6e677561   *..Accept-Langua
0x00000030 (00048)   67653a20 656e2d75 730d0a41 63636570   ge: en-us..Accep
0x00000040 (00064)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000050 (00080)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x000000a0 (00160)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000b0 (00176)   37290d0a 486f7374 3a207777 772e666f   7)..Host: www.fo
0x000000c0 (00192)   722d6576 65722e63 6e0d0a43 6f6e6e65   r-ever.cn..Conne
0x000000d0 (00208)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000e0 (00224)   650d0a0d 0a                           e....


Strings
<
..
.
L0.jJ~C.W[
...z9.
m
L0.jJ~C.W[
...z9.
m
...
<.3
.@
.
.
.P.
040904B0
1.00.0009
Comments
CompanyName
Developed by avi01
ESET Login Finder by avi01!!
Eset Login Viewer v1.2
Eset Login Viewer v1.2.exe
FileDescription
FileVersion
ForumW.org
Get ESET Logins!
http
http:///
http://forumw.org/viewtopic.php?t=271177
http://nod32.persiangig.com/ups/
http://www.for-ever.cn/nod32/
InternalName
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
!'''&&$&&''&
[&}:/{
%&*-....---*&!
"       "+,,000,,"
      "*,022333221,,"
0A^8/Xuc&
\0D:{;
(%0D E
!&*.123FFFFFF21/-*&
"""""'+126CEEEEED7320, 
;16W!P!
1!a1W9
/=1JK1
1S&jkr
 *'%%!%-27CEHHIIHEEEC31,+
@.2data
&*/2FGIJKLLLLKJIGF1.,!
!2GKr 
2	J/.[+
[2*q0r
2	Sb\$
!!!"'.3
31L&3'
	3,4z;
#%.3FEKLNNNNNNNNNKJHF1.&
"""$,3H
3J)bX>
{42NT:
5b|@t+
5_=cz4X
>5I0lJ
/5Kb-0
7-9-Y.U
7uUPPH
<7v {w
8a?87`_6
8i[?tZ
"99(HN
)9M!|57qC|
<;;<@a][
`a@:878#
`a@<:99#
a<<>@a^]
`aA8655#
`aB6555!
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
a:<<+f=CC
_allmul
aqAIoK
avi01 ESET Logins Viewer v1.2 .:: http://forumw.org/viewtopic.php?t=271177 ::.
A|'`w^
B:40cufp.
bbGL:#v
_bd?<;;%
)BGA^4
B\?m"B
c9:*}}
[=??ca^[V
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
C`jf%	w
"c<.>O]
cOraf.s
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
CRed+R
c|v}o|
C:\WINDOWS\system32\ieframe.oca
CxC'P7
CYz0\Uz
d)00--09>ABFFBA>90%
d*006AFPQRSTSRGBA>9-
d)-----089;;;990'
d,0 HZ`
DcCtR{
ddddc_][W
},\DE(
deffee
d	gGuM
d* &Q'A
D-->UH~
Dz@Q^6
DZ	Znl
~~~~~~~~~e
E=@2jJLL
E7Foo\L
EB40+,
/e CB(=ty
@~eC_h2
\eeef_^\\
e(P|2O
ESET Logins Finder
Eset Login Viewer v1.2
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
&Exit Application
?)F2YIoT
>fa6}qA6
fcd????(
fffff`
ffffff
ffffff`
fffffff
fffffffff
ffffffffff
ffffffffff`
fffffffffff
fffffffffff`
ffffffffffff
ffffffffffff`
fffffffffffff
ffffffffffffff
ffffffffffffff`
ffffffffffffffff
fffffffffffffffff
fffffffffffffffff`
ffffffffffffffffff
ffffffffffffffffff`
fffffffffffffffffff
fffffffffffffffffff`
ffffffffffffffffffff
ffffffffffffffffffff`
fffffffffffffffffffff
ffffffffg
ffff`ffffg
ffffffffh
ffffffg
ffffffhwwwwwwwwwxffff
fffffg
fffffh
ffffovwwwwh
fffgh^qqZ
ffgwwwwvfff
ffhxww
)FH,!>
frmFull
FW3'Eu
fwwwwf
Get ESET Logins!
gfddd?d5
GJ,ji4;
gK=A[v
GLDPNG ver 3.4q
Gr2mML
+/?gr6
GR/$bsr
G&)u19
G[w5<S
gwwwwvo
gwwwwwwwwv
gwwwwwwwwvo
H34$K"+
h#:(BPa+H
hc____ch
hgfeddd6
Hg]s3X
hhggfff8
H!HP]A
Hn!22o/
~H]OJxn
|hrOne
ieframe.dll
iiihggg:
iiiijpqqsY
/'$&in
I/oFqh 
Iw!<M}
iyF1-N-
,@*j;{
J2.'$##
j!5T[k	I0
@'-j8@
==?.jGJJ
JH.&"!#
jHd!5g
jkjjihj<
%JzIX\)d/
/K0G;n
K74/,*
@{[ke{
`/^K{f;
KH0,%$%
kiiiia
)K	\#}k
K?Sb]n
l?BOy\/
LH0*%!#
LJC55++
lllkkjk=
+#[LOj
luW!I/
m5ptK0
{>m6:s
M*9/!!
-m9D[N
[M~@D0s
*M@d|7X}
m}E&&~
m-f[L0
mG!A98
MH0,%$%
MIE4((+
mM}+&`
mmmmme
mmmmnopstuur
MqPVNe=
MSVBVM60.DLL
 m:vJH
MYLc&/
mzF]"Z?E
n31RE<z
n5[i$r
naePN`
nA#-hh
N=B2nLML
N|Eid!
nf2\V`V
N	g5,O\/
NLI2/)
Nlk0H8
~~~~~nnnnnnd
nnnnno}suvvwutt
+?(NRG
N)SqPC
O$5Zv5
OCF-(%(
OfUkMB
OI2,%%%
OI+MDgU
OKH/)!
OLI1,!
OLI2.&
OLKI2/*
p=<&'9'<
p90Q `
^ P&Bg
 |p`c{
pcu77T
pHA>8/!
pkllloprstq
,Pp9>x
PV^XU^U^
Q&FG8rv3g
qgghijqqrY
Q	m/F"
|*Q$q,
qttttmg
qy\E#1
%?/	r+;
r-;.&]_
r[9^1d
ReadyState
&Refresh
R!###'/FJ
RI2,%##
rNY~\7?
RpyMsF
,R.RK@f)
R~+RL_
R&TY`#MH
Rx)}9*=
S#$#%+2DP
SAI4-y
sA!l}]
=s\B@%
SCC=mUUUl
Server
S#%%(.FJQ
sg%||>
SHDocVwCtl
SHDocVwCtl.WebBrowser
sijjklpqstZ
?Sj8cE
`~Sm}/"
T#%%(3DKS
T%((4EIMT
T$((+5HLS
T5.T;d$
tEXtSoftware
!This program cannot be run in DOS mode.
TIG=l[XX^
TNNLJH2/*
tpNGGLD3
?t'Sj|~
ttssrqqqijnnnmmllm>
U(555BK]V
U(555CJNU
}UEImfE
:!%uFm
UKH0)!
 ULsXI
ul\_\W|+bF
%~!uXQ
?@`v2G
,v 3lr
-<<v3]n
VB5!6&*
VBA6.DLL
__vbaChkstk
__vbaEnd
__vbaExceptHandler
__vbaFPException
__vbaFreeObj
__vbaHresultCheckObj
__vbaLateIdCall
__vbaNew2
__vbaObjSet
__vbaObjSetAddref
__vbaOnError
vffffffffg
vfff`ffffg
vgwwwwwwwwvg
View list Of ESET Unofficial &Servers!
&Visit Author's Eset Page
>vk=M.-
v^.M<7s
vwwwwwwww
vxxxxxsmmrtttrrrqpomrtpnnb
W5666Aa]W
W5a?<F=
W7778Ba]V
W999;@a]O
*w<DSJ
WebBrowser
WebBrowser1
wffffff
wffffff`
wfwv%9I
wwwvff
wwwwwg
wwwwwwfff
wwwwwwwo
wwwxy{{
WYXRZG
X=%8AV
X???cb_\]
xfffff`
xief9j
&xlDIk
X{X Q)M
%*xZQ@
@!^@y<
)Y*7QJ
YKDC41,,
?YXA#V
?|	y-YD
yyyyyyyyzzzzzzzzzyyyxxuuf
%z	&|	
zBx/fU
_z)<MI
	ZrYg8
Z{[U7Q
~~~~}|}zyxvvwwwww
~||{zzyywwwwwwwxyz{{
{{|{{{|||~~~~|||{zzyyzi
{{{zzzzzzzz{{