Analysis Date2014-06-29 00:31:51
MD5c874b2c9b9d8663e216e36a54960fade
SHA159f5ddfea89530bf177aa11d227e2fb18a53157b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2e15294cb7b97c8fd153b173274ac125 sha1: 1dbf8124f5a0ef4b8c12126c82f4dcf25252c66f size: 1024
Section.rdata md5: 8013970f7c52c4cb5b3c11a726a2b2cb sha1: 40c0fd764dd27d6db6a647212efa7199534468cf size: 512
Sectioncode2 md5: a2828793777103275fc7aee40ab8fe54 sha1: f140b6098acd2ddda0d477885483ecbddf0ae64a size: 512
Sectionzdata md5: 2447b871343f93a6f5b737ce06f13660 sha1: d8ef9cebcdf1446ca3d1fcffb1b87b6128e6edae size: 512
Sectioncodej md5: 72aab3599727f9b7622a9dfc918c6b55 sha1: 92b58cb13201716372059595293b1caaaa9fc8a0 size: 512
Section.rsrc md5: 9fbc3b9ac032a8cca6730d321f0088a5 sha1: 8ca9c485c4f7026cf000f7dc24d463fad0a69dcf size: 58880
Timestamp2014-04-11 14:23:27
VersionLegalCopyright: Copyright (C) 2003
InternalName: welled
FileVersion: 4,1,4,24
ProductName: welled Application
ProductVersion: 2,3,2,5
FileDescription: welled Application
OriginalFilename: welled.exe
PackerPE Diminisher v0.1
PEhash88851ac96a4161cfe7eeb1849af2b0c8f1c2767c
IMPhasheaeaf27597bb0523389a72cda6281fd0
AV360 SafeGen:Variant.Zusy.89319
AVAd-AwareGen:Variant.Zusy.89319
AVAlwil (avast)Kryptik-NRD [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/ATRAPS.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.r6
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1150
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.BZQQ
AVFortinetW32/Agent.APDJ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.89319
AVGrisoft (avg)no_virus
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7no_virus
AVKasperskyTrojan.Win32.Agentb.apdj
AVMalwareBytesTrojan.Cryptor.XGen
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Zusy.89319
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Pandex!gen4
AVTrend MicroTROJ_CUTWIL.SM1J
AVVirusBlokAda (vba32)Trojan.Agentb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\noqothywoshu ➝
C:\Documents and Settings\Administrator\noqothywoshu.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cath4choice[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sigmametalsinc[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\colourprint[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\upsilon89[1].htm
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sigmametalsinc[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\capitalcitytuxedo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dbcomponents[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\iaiglobal.or[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tavdi[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\detanses[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\golfpark-moossee[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\cath4choice[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sigmametalsinc[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\upsilon89[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sigmametalsinc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\capitalcitytuxedo[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgamblingonlinemagazine.com
Winsock DNSsigmametalsinc.com
Winsock DNSgolfpark-moossee.ch
Winsock DNSheliomare.nl
Winsock DNSdebtrescueusa.com
Winsock DNSbigjohnsbeefjerky.com
Winsock DNSlink-list-uk.com
Winsock DNSauthentica-travel.com
Winsock DNScolourprint.nl
Winsock DNScath4choice.org
Winsock DNSservico-ind.com
Winsock DNSdetanses.com
Winsock DNSupsilon89.com
Winsock DNSiaiglobal.or.id
Winsock DNSplus.ba
Winsock DNStavdi.com
Winsock DNSdbcomponents.com
Winsock DNScapitalcitytuxedo.com
Winsock DNSjeansmate.co.jp

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsigmametalsinc.com
Type: A
208.113.149.173
DNSgolfpark-moossee.ch
Type: A
199.83.130.50
DNSgolfpark-moossee.ch
Type: A
149.126.72.165
DNSupsilon89.com
Type: A
151.236.48.69
DNScath4choice.org
Type: A
76.12.228.8
DNScapitalcitytuxedo.com
Type: A
67.223.102.236
DNSbigjohnsbeefjerky.com
Type: A
162.159.245.210
DNSbigjohnsbeefjerky.com
Type: A
162.159.244.210
DNSdbcomponents.com
Type: A
97.86.70.229
DNStavdi.com
Type: A
141.101.116.121
DNStavdi.com
Type: A
141.101.117.121
DNScolourprint.nl
Type: A
46.30.212.230
DNSiaiglobal.or.id
Type: A
49.50.8.93
DNSdetanses.com
Type: A
144.76.86.115
DNSservico-ind.com
Type: A
193.34.148.209
DNSgamblingonlinemagazine.com
Type: A
198.1.90.242
DNSjeansmate.co.jp
Type: A
211.1.230.105
DNSlink-list-uk.com
Type: A
91.109.6.168
DNSauthentica-travel.com
Type: A
98.124.199.1
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSheliomare.nl
Type: A
DNSdebtrescueusa.com
Type: A
HTTP POSThttp://sigmametalsinc.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://sigmametalsinc.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://upsilon89.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://cath4choice.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1038 ➝ 208.113.149.173:80
Flows TCP192.168.1.1:1039 ➝ 208.113.149.173:80
Flows TCP192.168.1.1:1041 ➝ 151.236.48.69:80
Flows TCP192.168.1.1:1043 ➝ 76.12.228.8:80
Flows TCP192.168.1.1:1045 ➝ 67.223.102.236:80
Flows TCP192.168.1.1:1046 ➝ 199.83.130.50:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203530   ntent-Length: 50
0x00000070 (00112)   380d0a55 7365722d 4167656e 743a204d   8..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207369   ; SV1)..Host: si
0x000000c0 (00192)   676d616d 6574616c 73696e63 2e636f6d   gmametalsinc.com
0x000000d0 (00208)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000e0 (00224)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x000000f0 (00240)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000100 (00256)   650d0a0d 0a4b6344 75395638 5059786a   e....KcDu9V8PYxj
0x00000110 (00272)   32625950 4e767058 64636568 77412b41   2bYPNvpXdcehwA+A
0x00000120 (00288)   31397955 31413258 61654b38 66477451   19yU1A2XaeK8fGtQ
0x00000130 (00304)   526b7258 6f477173 6b733236 54746f7a   RkrXoGqsks26Ttoz
0x00000140 (00320)   34395059 370d0a50 4e596b41 6b756f57   49PY7..PNYkAkuoW
0x00000150 (00336)   7a575354 624f4258 6a744853 30673261   zWSTbOBXjtHS0g2a
0x00000160 (00352)   49776a62 52644b35 35364848 4363574e   IwjbRdK556HHCcWN
0x00000170 (00368)   6d4c5468 54654349 47335a46 6b574241   mLThTeCIG3ZFkWBA
0x00000180 (00384)   34377065 6834460d 0a675056 6c503241   47peh4F..gPVlP2A
0x00000190 (00400)   46364863 38346c65 55585375 73577448   F6Hc84leUXSusWtH
0x000001a0 (00416)   696a3364 526c6954 444c3934 32797643   ij3dRliTDL942yvC
0x000001b0 (00432)   432b4761 77713062 6e4f316d 302f4146   C+Gawq0bnO1m0/AF
0x000001c0 (00448)   70657366 486e3636 550d0a52 30447773   pesfHn66U..R0Dws
0x000001d0 (00464)   4f58626f 31377667 762b6c45 364c6f41   OXbo17vgv+lE6LoA
0x000001e0 (00480)   536b6438 50426d46 77784563 3043396c   Skd8PBmFwxEc0C9l
0x000001f0 (00496)   69747751 68476e31 304d5869 4f584a31   itwQhGn10MXiOXJ1
0x00000200 (00512)   6e2f3344 6d324d42 716b680d 0a6e395a   n/3Dm2MBqkh..n9Z
0x00000210 (00528)   4c4d4433 574f664b 57466152 61637236   LMD3WOfKWFaRacr6
0x00000220 (00544)   494b6e2f 37733970 3075674b 4c41366c   IKn/7s9p0ugKLA6l
0x00000230 (00560)   32653944 4d583968 68346e67 39742f58   2e9DMX9hh4ng9t/X
0x00000240 (00576)   59426857 6b774a32 39525330 760d0a44   YBhWkwJ29RS0v..D
0x00000250 (00592)   714d7579 73627335 6768514c 66316770   qMuysbs5ghQLf1gp
0x00000260 (00608)   4d4e726b 37683073 6e53306d 5778634d   MNrk7h0snS0mWxcM
0x00000270 (00624)   59305468 48526177 6f2b416b 364e4633   Y0ThHRawo+Ak6NF3
0x00000280 (00640)   4a64664a 33344470 4a4d3851 3563700d   JdfJ34DpJM8Q5cp.
0x00000290 (00656)   0a524b79 52654578 6e7a6539 34306c46   .RKyReExnze940lF
0x000002a0 (00672)   55397a5a 71474439 654e384a 5a797857   U9zZqGD9eN8JZyxW
0x000002b0 (00688)   4c4e5361 2f6c7871 6e697076 73306c4a   LNSa/lxqnipvs0lJ
0x000002c0 (00704)   6e6a4469 35426e68 55745335 7571416c   njDi5BnhUtS5uqAl
0x000002d0 (00720)   340d0a32 5864552f 6146516e 56417461   4..2XdU/aFQnVAta
0x000002e0 (00736)   48486c4c 765a774f 484f597a 4c78614c   HHlLvZwOHOYzLxaL
0x000002f0 (00752)   786b734b 366c492b 74754d50 75343d0d   xksK6lI+tuMPu4=.
0x00000300 (00768)   0a                                    .

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203533   ntent-Length: 53
0x00000070 (00112)   380d0a55 7365722d 4167656e 743a204d   8..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207369   ; SV1)..Host: si
0x000000c0 (00192)   676d616d 6574616c 73696e63 2e636f6d   gmametalsinc.com
0x000000d0 (00208)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000e0 (00224)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x000000f0 (00240)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000100 (00256)   650d0a0d 0a504932 384e4d4b 494f7869   e....PI28NMKIOxi
0x00000110 (00272)   5379366d 56745448 6b696b55 724d7754   Sy6mVtTHkikUrMwT
0x00000120 (00288)   53537833 64466e50 4b6b6d74 414c5459   SSx3dFnPKkmtALTY
0x00000130 (00304)   786e7669 476f6942 75787075 39644d6a   xnviGoiBuxpu9dMj
0x00000140 (00320)   6176724b 710d0a45 654f5878 5a2b7147   avrKq..EeOXxZ+qG
0x00000150 (00336)   6d30722f 702f4a4d 57497678 78684879   m0r/p/JMWIvxxhHy
0x00000160 (00352)   57516642 78544c54 6d736773 64556f6c   WQfBxTLTmsgsdUol
0x00000170 (00368)   784e3631 79684246 71504546 562f754a   xN61yhBFqPEFV/uJ
0x00000180 (00384)   73417756 6334630d 0a335976 6341584d   sAwVc4c..3YvcAXM
0x00000190 (00400)   53304568 30336569 2f785659 75683446   S0Eh03ei/xVYuh4F
0x000001a0 (00416)   4d705675 627a7157 752f506a 6f566871   MpVubzqWu/PjoVhq
0x000001b0 (00432)   4e537a62 4c70666e 7059736e 2b73732f   NSzbLpfnpYsn+ss/
0x000001c0 (00448)   374e644a 59454f58 6c0d0a34 4e4b3672   7NdJYEOXl..4NK6r
0x000001d0 (00464)   316f4548 4c4c692f 7851504c 73687259   1oEHLLi/xQPLshrY
0x000001e0 (00480)   49683073 6575466a 4d6b7651 744f7539   Ih0seuFjMkvQtOu9
0x000001f0 (00496)   66746475 414d7963 39727569 2f39384c   ftduAMyc9rui/98L
0x00000200 (00512)   68723573 4b444a77 5877750d 0a4f6c42   hr5sKDJwXwu..OlB
0x00000210 (00528)   396c5632 727a4c66 6b59752b 3663744b   9lV2rzLfkYu+6ctK
0x00000220 (00544)   5a713536 4d614e47 66766331 2b654d6c   Zq56MaNGfvc1+eMl
0x00000230 (00560)   336a7354 2f324e6f 39657661 2b356256   3jsT/2No9eva+5bV
0x00000240 (00576)   476a6465 2f324656 55576650 500d0a2b   Gjde/2FVUWfPP..+
0x00000250 (00592)   38704379 31674c7a 2b767846 43375768   8pCy1gLz+vxFC7Wh
0x00000260 (00608)   55487334 6166336b 55513563 48333450   UHs4af3kUQ5cH34P
0x00000270 (00624)   4b584135 65687632 534f7272 69664533   KXA5ehv2SOrrifE3
0x00000280 (00640)   5a794447 32547149 7132746c 694a490d   ZyDG2TqIq2tliJI.
0x00000290 (00656)   0a442f59 425a5556 7868434b 4d685853   .D/YBZUVxhCKMhXS
0x000002a0 (00672)   4c706e4f 4d41336c 366c506d 37347577   LpnOMA3l6lPm74uw
0x000002b0 (00688)   655a4545 37786762 53424e41 45525265   eZEE7xgbSBNAERRe
0x000002c0 (00704)   42642b53 6567534e 39747046 7a644c4b   Bd+SegSN9tpFzdLK
0x000002d0 (00720)   7a0d0a61 4f4f7753 68797176 706d314d   z..aOOwShyqvpm1M
0x000002e0 (00736)   302f4255 71772b42 76752b2f 70756457   0/BUqw+Bvu+/pudW
0x000002f0 (00752)   6c743263 554d6b50 35533650 4a593848   lt2cUMkP5S6PJY8H
0x00000300 (00768)   50713571 5371455a 55414b67 702f6565   Pq5qSqEZUAKgp/ee
0x00000310 (00784)   342f330d 0a4e664f 4a64513d 3d0d0a     4/3..NfOJdQ==..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203538   ntent-Length: 58
0x00000070 (00112)   360d0a55 7365722d 4167656e 743a204d   6..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a207570   ; SV1)..Host: up
0x000000c0 (00192)   73696c6f 6e38392e 636f6d0d 0a436f6e   silon89.com..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x000000f0 (00240)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000100 (00256)   68524971 31547778 6e426765 47385a67   hRIq1TwxnBgeG8Zg
0x00000110 (00272)   35317658 68733837 50744855 6e72314d   51vXhs87PtHUnr1M
0x00000120 (00288)   4d503436 37623250 6b475961 66677734   MP467b2PkGYafgw4
0x00000130 (00304)   30375166 47596862 4f7a7473 59524b46   07QfGYhbOztsYRKF
0x00000140 (00320)   0d0a454d 596c626c 615a506f 61697379   ..EMYlblaZPoaisy
0x00000150 (00336)   6f736762 686a6e31 36375648 46423671   osgbhjn167VHFB6q
0x00000160 (00352)   47344730 31453777 59507638 37713944   G4G01E7wYPv87q9D
0x00000170 (00368)   78516e53 434b4641 34737631 2b4a4e45   xQnSCKFA4sv1+JNE
0x00000180 (00384)   4f470d0a 774b582f 67737753 5671414d   OG..wKX/gswSVqAM
0x00000190 (00400)   6a494f6f 75767449 70626f62 35627077   jIOouvtIpbob5bpw
0x000001a0 (00416)   596b3552 50446655 7a525575 33573838   Yk5RPDfUzRUu3W88
0x000001b0 (00432)   5371476f 77726f34 64633967 44356671   SqGowro4dc9gD5fq
0x000001c0 (00448)   46612f4a 0d0a576b 64676835 2f47522f   Fa/J..Wkdgh5/GR/
0x000001d0 (00464)   6d553834 5a4a7069 6b4a6a4d 54415830   mU84ZJpikJjMTAX0
0x000001e0 (00480)   4d4f3330 4c4b4442 37667367 66343837   MO30LKDB7fsgf487
0x000001f0 (00496)   3150777a 61756744 6449786d 66447230   1PwzaugDdIxmfDr0
0x00000200 (00512)   6f444b41 68380d0a 7769634c 4f4b5a35   oDKAh8..wicLOKZ5
0x00000210 (00528)   55555168 5a4f6377 68364247 2f705a55   UUQhZOcwh6BG/pZU
0x00000220 (00544)   2b454f75 6c6a6938 6f527534 42546e49   +EOulji8oRu4BTnI
0x00000230 (00560)   7143504d 66514857 4c42796d 56314c51   qCPMfQHWLBymV1LQ
0x00000240 (00576)   484e784b 55695045 0d0a6236 58596745   HNxKUiPE..b6XYgE
0x00000250 (00592)   79705374 2f2b4871 47786234 47643250   ypSt/+HqGxb4Gd2P
0x00000260 (00608)   6b617249 4c4b364c 4a496a52 66567233   karILK6LJIjRfVr3
0x00000270 (00624)   38735664 62335566 734e7479 34563643   8sVdb3UfsNty4V6C
0x00000280 (00640)   72783969 6875336f 49730d0a 742b612b   rx9ihu3oIs..t+a+
0x00000290 (00656)   306f7a59 36392f2b 507a7278 53314169   0ozY69/+PzrxS1Ai
0x000002a0 (00672)   6c71512b 4d55684b 43596936 7351536d   lqQ+MUhKCYi6sQSm
0x000002b0 (00688)   5a747942 43685844 756e6358 48307772   ZtyBChXDuncXH0wr
0x000002c0 (00704)   4d616f33 38376f43 42476e74 0d0a6169   Mao387oCBGnt..ai
0x000002d0 (00720)   6d707173 4d78576d 326f7834 6e432b2f   mpqsMxWm2ox4nC+/
0x000002e0 (00736)   67624548 3144754a 54416a71 4e4f5032   gbEH1DuJTAjqNOP2
0x000002f0 (00752)   4b68464e 4d327866 686f6e56 77717658   KhFNM2xfhonVwqvX
0x00000300 (00768)   31567253 3765496e 4a704337 506b0d0a   1VrS7eInJpC7Pk..
0x00000310 (00784)   7462476f 734b5257 4d46586c 5743394b   tbGosKRWMFXlWC9K
0x00000320 (00800)   374d7143 545a5835 7033395a 57435735   7MqCTZX5p39ZWCW5
0x00000330 (00816)   6d4b6361 59535868 56467064 45413275   mKcaYSXhVFpdEA2u
0x00000340 (00832)   45434643 4a624d3d 0d0a300a            ECFCJbM=..0.

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203534   ntent-Length: 54
0x00000070 (00112)   320d0a55 7365722d 4167656e 743a204d   2..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a206361   ; SV1)..Host: ca
0x000000c0 (00192)   74683463 686f6963 652e6f72 670d0a43   th4choice.org..C
0x000000d0 (00208)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000e0 (00224)   416c6976 650d0a43 61636865 2d436f6e   Alive..Cache-Con
0x000000f0 (00240)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000100 (00256)   0d0a724f 72546e78 35694c68 69454d70   ..rOrTnx5iLhiEMp
0x00000110 (00272)   59646165 4c506867 47317752 46655669   YdaeLPhgG1wRFeVi
0x00000120 (00288)   38784d6c 7a31705a 46674a74 614a6b39   8xMlz1pZFgJtaJk9
0x00000130 (00304)   35355955 616b544c 486d5654 72644b59   55YUakTLHmVTrdKY
0x00000140 (00320)   35370d0a 4f354446 472b6549 55666751   57..O5DFG+eIUfgQ
0x00000150 (00336)   7142346a 304a4477 5051572b 34364543   qB4j0JDwPQW+46EC
0x00000160 (00352)   64596267 3539656c 6a373277 46683579   dYbg59elj72wFh5y
0x00000170 (00368)   6a786976 6f4d7672 79396848 6648314f   jxivoMvry9hHfH1O
0x00000180 (00384)   79544743 0d0a7a59 55746946 5a714166   yTGC..zYUtiFZqAf
0x00000190 (00400)   79506d56 47745431 3058472b 59544459   yPmVGtT10XG+YTDY
0x000001a0 (00416)   63713577 63385377 696e6568 464d6e6d   cq5wc8SwinehFMnm
0x000001b0 (00432)   45614e2b 61776f33 634b6a33 596a674f   EaN+awo3cKj3YjgO
0x000001c0 (00448)   59547674 31530d0a 416f6855 4b617363   YTvt1S..AohUKasc
0x000001d0 (00464)   6a7a6738 4f436a36 7a706177 33627463   jzg8OCj6zpaw3btc
0x000001e0 (00480)   66726544 50683241 36537741 34434859   freDPh2A6SwA4CHY
0x000001f0 (00496)   596d3872 6f355a4c 4d71424a 36424332   Ym8ro5ZLMqBJ6BC2
0x00000200 (00512)   58714639 795a3861 0d0a3374 73454845   XqF9yZ8a..3tsEHE
0x00000210 (00528)   37514131 6d4e6f2f 4b314d43 32313852   7QA1mNo/K1MC218R
0x00000220 (00544)   36414d64 6a4f6950 53637772 36722f63   6AMdjOiPScwr6r/c
0x00000230 (00560)   6b336534 43544171 336d4157 416f4f44   k3e4CTAq3mAWAoOD
0x00000240 (00576)   7076314f 42446d4c 5a6e0d0a 72534a34   pv1OBDmLZn..rSJ4
0x00000250 (00592)   6b653952 4d37506f 74566277 70337559   ke9RM7PotVbwp3uY
0x00000260 (00608)   476d6f56 346d5678 5a6f3965 31383544   GmoV4mVxZo9e185D
0x00000270 (00624)   6c624772 76424c6a 6f376c47 434e4b43   lbGrvBLjo7lGCNKC
0x00000280 (00640)   4a583837 7a4f362b 535a414f 0d0a4a4d   JX87zO6+SZAO..JM
0x00000290 (00656)   61696a41 2f397236 2f777669 7238694e   aijA/9r6/wvir8iN
0x000002a0 (00672)   432f4474 73695365 31346765 71674c70   C/DtsiSe14geqgLp
0x000002b0 (00688)   594a4141 32753345 45366150 332f7839   YJAA2u3EE6aP3/x9
0x000002c0 (00704)   647a525a 77693864 554e5337 4a6b0d0a   dzRZwi8dUNS7Jk..
0x000002d0 (00720)   4678646e 59754b33 4b394a49 4c532f34   FxdnYuK3K9JILS/4
0x000002e0 (00736)   6a783231 2f6d586d 782f6f35 68473436   jx21/mXmx/o5hG46
0x000002f0 (00752)   35726a67 524e456d 43685949 3969586a   5rjgRNEmChYI9iXj
0x00000300 (00768)   4f587667 6b4b5762 5a665a30 79522f57   OXvgkKWbZfZ0yR/W
0x00000310 (00784)   0d0a3975 71677162 44783759 673d0d0a   ..9uqgqbDx7Yg=..
0x00000320 (00800)                                         


Strings
.
Z[:

&0--0--4 declaims
041904b0
1'AN
2,3,2,5
2DWM
4,1,4,24
5little thrust Italian sashes secluded looking Company
A-6>
&abandon pearl
&about VOICES
abroad
accordion different
&addresses fashion
&Adonai
&affected Lion's
affirm volumes
afternoon tastefully
&again didn't
&again little
&Alderman KEYES
alive
amalgamated Hawkins upcast wife's
&Anch'io unusual
&apoplexy
&Arbour strode
&Armagh
Assuming
&Astronomy
&astute ville
&attack Cuckoo
&attention answered
Aubrey
Awaiting
&Battersby
bearded
&beating pawnbroker's
beautiful
&beauty
&because
bedrooms
&before
before's proprietor
&beggar wheels
&behind
benefit
between proposed
&bicycle
&birdsnies perceive
&blackbeetles
blessed
&bloody
&BLOOM
&BLOOM paper
&blowing
bluecircled
boatbearers symmetry
&Boylan
&bring
&bringing
&bronzed again
brother because
&brotherhood smooths
brow fleshpot
brushes
&buccal
&Buckley's
&Buddha
bunched mixture
&buries
business commonly opening
&buttocksmothered finger
&Caballero amours
cacophonous
Caffrey
&Caffrey through
&cagework hyenas
Cameron
&cassock
Castile Ireland remember yanked
&castor
&catechism
&catechism What's
&Celestine
&centrifugal
cesspools whereas
&Chacun please
&chair
&champions
&chancre
Changing hubbub
&chap's property
Chaste
children
&circumcised
&cityful
coarse
cocked
&cohesion poison
&colleagues
&combings described
coming
&composed Mulligan
&condition immense
connected wonder tabinet
&Conscious Crofter
constellation
&continental
Copyright (C) 2003
&corner weeks
&corporation ground
Costello
Costello posthumous constancy
costumed
&couldnt
&Couldn't
countries depicted planted It's
&cover babyish
&Cranly's
cried
&cried clapped
&croak
&crooked thunders
&crushed
&Cuckoo premium
Cunningham
&Cunningham George's
&dainty
&dancing
&dateshaped though
daughter
&days
&deeply
deficiency
&degrees staunch
delights indeed
depravatio
Desire's unless socialist
devil's
&didn't
&didn't municipal
different Richmond staring
&Dignam
&distinctly
&doesn't
drifting
Drink
drooping street
Dublin Stephen
&eddies
&embroidery facile
Emperor's
entwined
&envelopes
&equilibrium
&esplanade brother
&evening
evening hissing
&Examiner
&excited
excursion
&experience
&extension
&Exuberant STEPHEN
&faded division
fastened
&father Roscommon
&featherskins student
&fellow eunuch
&field looking
FileDescription
FileVersion
&finespun
first polished halldoor
&fjords
&flambeaus confession
flies
&following smouldered
&forgetmenot cures
&forming
&fortnight
&forward
&foundation
foundered
&fraction
&friendly permeates
&Garryowen
&general
gestures
giving
&Glendalough Oxford
&glitter height
&Gloomily
&goodness Mulligan's
&Goulding
&grace
&grammar Dorans
&grass
&Greeks gorgeous
&green
Green bawling
&greenhouses
&greenish moustache
&grief
ground
&habits Bringing
&hackle
&hairbrush
&halfclosed BLOOM
&halldoor
&hand
&hangdog wenching
Hanukah sentiment
happens
harking
&health
&Higgins Runs
&himself
&hither people
Holles
&horns
&horsenostrilled minutes
hoses
hotwaterjar trailed
&house timehonoured
&howled
&Hungary Williamites
&immodest
&imprint
incrispated
&indeed
&individual right
inserts
InternalName
&involving Crawford
&jessamine
&jogged
kings'
&kissed change
&kitchen Murmurs
kneecap
&knives constant
&Lambert
&Leahy's unascertained
LegalCopyright
&Lenehan edition
Leopold
&lifted Martin
little
Little group Whelan WATCH
&Livermore
&living eleven
&loincloths sidling
&Lombard
longed bright
&looked
&MacHugh Dinner
&magnetic weekly
major housetops
&Many
&married
married Fraidrine longest
Martin
&Martin William
&masses
master
master excitement
&matron
matter
&mattress
&mavourneen's thurible
meaning
&meaning
&measure
medals Greenwich
meeting wife
&mention
Mervyn flight
methods
&mirror address
mirror plaited
&missed boomerangs
&mockery family
&mollify
moment unbuttoned
&Moore's benign
&morbous night
morning
motorcar
&mourners Armagh
&mourning
&mouth
MS Shell Dlg
&Murphy's bliss
&Myles
napkin money
&nation advertisement
&natural
&nearer
&nipples
noise
&noodly
&obituary
offers scarlet little others
&oilskin ladylove
O'Neill's always
&opposite scornful
ordinaries
OriginalFilename
&others
&oysters breath
&pages
&Panama
&paradigm
parson
&Passion search
patient
&peerless
perhaps
&personal everyone
&phenomenon Bristol
&Phibsborough perfume
&pillar l'attosca
pillars halted trying certainly
&pitched BURGESS
places
plainlooking
&player
pockets
&pointing
&polished
&polycimical
&ports
&possible
possibly upholstered redeemer silverbuckled
&power
&preoccupied
&present
&pretending Molly
priceless
&probably alderman
&Produces recall
ProductName
ProductVersion
professor
&proper
property
&proposed
&propriety always
proved
&pubhunting touring
Pyrrhus
&quarter profligate
quayside
&Queenstown Gurrhr
race
&racial Hungry
&railings
&rained
rapping Rest
&really anticipation
&remote Quick
removed parlous
renovated
&report located
&repose posing
&represents literature
reservoir doffed having sugared
resistance
return
ribbons
RichEdit20A
&right revival
&rising Cowley
&rotter Where
&rudely examined
Rudolf possessed
&ruined goldhaired
&Russell connection
salted
&sanctity
&satirical
&sauce Gravediggers
&Save Whelps
&schoolfellows
&scillas attendant
&Scotch plodding
&screws giving
scullion sowing Christ slowly
&SECOND
seemed
seems
&sending Sorrow
shaded
shaded Curious
shadow despair
&Shakes Nolan
&shaking
&shame
&Shannon Inform
&shares
&Sharons
&shillings
&Shitbroleeth PRISON
&shocks spinach
shops Gallaher
should
&shouted mountain
&Shouts Shakespeare
Shreds
sidled
&sighed fumbles
&singing daystar
sister-in-law
&sisters building
&sitting
&sixteens
&skins flour
Skin-the-etcetera proximity
skipping butter tailormade
&slammed particular
&sleeve
&slowly
&slowly family
&sniffing Quigley
SNIVELS another country
&snowball oxygen
&somewhere
&sourly
&Spanish producing
&sphincter
&spoke profound
sports
spouse
&stays Doublebasses
&Stephen
&Stephen's
stepping
&Still
&stone again
&storms
Stratford generations
&street
&street follows
street notice
street Venus
&strident
StringFileInfo
Stuart
student
stupid arrive Liliata cousins
&subtile
Successively tapping
Sudden latter trouble matter
&suggest secretary's
&sullen blazes
&Suppose
survival server
sweeping Talbot
&Swinburne
SysListView32
&table
&table Ontario
Tahoma
taste
&Telegraph
telling
temperance
terrace
&textual
&there
There Because
There's
theyre
thirst answer
though ships7Gilligan changes unfolded beggar geegee middlings stick
thoughts compass
&Thursday
&timepiece Mulligan
&tinkle hop-of-my-thumb
&towards
Translation
&transmigration
Travers?
Tremendously
trilingual
Trombone smiles
trouserbutton
trousers pointing
&turning whistle
&unbelief Giltrap's
&unique
unweave permanence
upstairs
&urinal
&Valuing
VarFileInfo
&vendor
verbis
&veux
&vigorously There's
villa
vinegar
&VIRAG
visible housed
VS_VERSION_INFO
 &~w
&walked asked
&walked performance
wanted
&watched
&Waterford
water meant
&waters
waters didn't
&waters moisture
&weather railway
Wellcut selfinterest
welled
welled Application
welled.exe
Whelps
whereas proper
&Whereat
&Whereat quarter
&wherefore
&whining success
whisper
&white
&whole Foreign
&window picked
&windows
within choice
&without
&wonderfully
&Workbasket
&wormfingers hop-of-my-thumb
&wouldnt shoves
&you're velocity
&Youth Stephen
Z-H)
11xxxxxxxCreateWaitableTimerA
<2sPD-
4kx[Lr
4PDKw{
6t~![7^
@ ]\7N
7Uh/{=
8Y:H8At
9m,.spLoadImageA
aIB9j[
aU2x*5
A|Xt8"
:[aY>b]
Bf[r;hc
@code2
CreateThread
D8]Qua
DDt-~fi
dn<[kvz
DN@X}r
e>j,~J
[E!}@md
EX_X]/
f20M5Q
fdh37s 9llGetObjectA
Ffi?I|
FPgd~'s
>f{q*!
$F[Qvr:
ftKneh
F`zrnh]
%,'gdi32.dll
gdi32.dll
GetModuleHandleA
GetObjectA
GetObjectW
!>GHlP
gnFf5h
gOR~`l
-gVW(r
_I-_3A
{IFl87
InterlockedIncrement
j59T'TN"1Op=A
jkvi|cUI
jxFO|S
j%xIN'
K0Rb2i
k<3^gn
kernel32.dll
kRichn
LoadImageA
LoadLibraryExA
lrf#m]
M$n15=
)` MwA
n^0C|%yG&
nM@@lE`
^nrnBV{
o2Fe5Y#
$	^p~1"
]Ps.[e
;PX-;_
=P!"Zr
 *+qiE
`.rdata
R:\jfndh8883.dat
RzH"X(ga
S/7*%w
s83hfn257635936459350fgdgdfgdsgsdGetProcAddress
SetWaitableTimer
SleepEx
-sof9.
:Tc1FX
_,TgJ<
!This program cannot be run in DOS mode.
%TpuOI3
user32.dll
V*I7~5
VKKF,9d
vNc2iA
v [O$Ad
WaitForSingleObject
Wo}%}#
w@SeuzAj[I`
y5#e&s=3Y
zxc098iuser32.dll