Analysis Date2014-06-16 00:05:45
MD57e5586235f46aeed1beb2d2d5c548136
SHA1196e287e0c43b54a402b46fc2667db8b99d6f135

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: ac7c385b9e9e21c76d25da1e5bc00f4b sha1: a3b705e0d83cfbace154d2af7e9d6189d7d7857e size: 110592
Section.rdata md5: f6197838f4c1e105c499464be8f45541 sha1: 8523af3ab7e6898e9b6c3f608ddce7325c1a497b size: 1024
Section.data md5: 29242e701f87ce7b3873c6956f680e33 sha1: fc632f017cdfad56126e8d4cce0a7b84208d9ae1 size: 47104
Section.apexi md5: 0a35266149d937414b9a36e7fc92e755 sha1: f2e64e05daac71d1cc2c30dee769ce9b2b2ef8a4 size: 1024
Timestamp2005-11-28 23:14:48
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1134
PEhash2ca8a849bd2cae24ff9f644fd76d2b70932f0697
IMPhash585648eeabd35fb47c51085a1435616d
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-6948
AVDr. WebBackDoor.Gbot.33
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.MIA
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Gbot
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpdadatarestore.com
Winsock DNS127.0.0.1
Winsock DNShollandandbarrett.com
Winsock DNShostinganddedic.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNShollandandbarrett.com
Type: A
213.62.84.113
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.176
DNSzonetf.com
Type: A
208.73.211.167
DNSzonetf.com
Type: A
208.73.211.161
DNSzonetf.com
Type: A
208.73.211.161
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.176
DNSzonetf.com
Type: A
208.73.211.167
DNSpdadatarestore.com
Type: A
DNShostinganddedic.com
Type: A
HTTP GEThttp://hollandandbarrett.com/images/footer/account.gif?v13=74&tq=gKZEtzyqivdHbbTw9YxVOkMJiWv89wfp43kQmCEn3SSNchn%2Fr%2BwOGXpQ3YnWf0cfQAXL3IKT%2BdQ2wsu3eVZFC557jVtJ4PPyQP55yQIVA3gshjw%2FeF3jNyGwt2I9SsBLCLTAeDGXFJIX1vzBz3POupYYfjBYzx4QsdsJEINAU6Sd13BklTrvsH1c%2FDfDkG%2BrXtM9tIj43zGnpkhQ7ASvQzniW%2FqmtUbCLi8CfrTn0crdZdct%2FnM0iV2Ur%2BqpVDV%2FQkDCjYi1UcJnML4k3vioqXoZIpo1m62JtcpjA3aLfcouMV%2FbsBbyvfHYzorwmiFHry3PAxCPdDRYfk57lE%2F57Vb71i7EeiLjSN0tpuiqW6LPOgtsshWnUiqpWAhXWjPEqWolEVDFRoe5gwjXHApjDu%2BKepkTWMZS70bfZPsGX2TAf9ji%2FI%2FVPgeGVFMelG
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 213.62.84.113:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.161:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 666f6f74   GET /images/foot
0x00000010 (00016)   65722f61 63636f75 6e742e67 69663f76   er/account.gif?v
0x00000020 (00032)   31333d37 34267471 3d674b5a 45747a79   13=74&tq=gKZEtzy
0x00000030 (00048)   71697664 48626254 77395978 564f6b4d   qivdHbbTw9YxVOkM
0x00000040 (00064)   4a695776 38397766 7034336b 516d4345   JiWv89wfp43kQmCE
0x00000050 (00080)   6e335353 4e63686e 25324672 25324277   n3SSNchn%2Fr%2Bw
0x00000060 (00096)   4f475870 5133596e 57663063 66514158   OGXpQ3YnWf0cfQAX
0x00000070 (00112)   4c33494b 54253242 64513277 73753365   L3IKT%2BdQ2wsu3e
0x00000080 (00128)   565a4643 3535376a 56744a34 50507951   VZFC557jVtJ4PPyQ
0x00000090 (00144)   50353579 51495641 33677368 6a772532   P55yQIVA3gshjw%2
0x000000a0 (00160)   46654633 6a4e7947 77743249 39537342   FeF3jNyGwt2I9SsB
0x000000b0 (00176)   4c434c54 41654447 58464a49 5831767a   LCLTAeDGXFJIX1vz
0x000000c0 (00192)   427a3350 4f757059 59666a42 597a7834   Bz3POupYYfjBYzx4
0x000000d0 (00208)   51736473 4a45494e 41553653 64313342   QsdsJEINAU6Sd13B
0x000000e0 (00224)   6b6c5472 76734831 63253246 4466446b   klTrvsH1c%2FDfDk
0x000000f0 (00240)   47253242 7258744d 3974496a 34337a47   G%2BrXtM9tIj43zG
0x00000100 (00256)   6e706b68 51374153 76517a6e 69572532   npkhQ7ASvQzniW%2
0x00000110 (00272)   46716d74 5562434c 69384366 72546e30   FqmtUbCLi8CfrTn0
0x00000120 (00288)   6372645a 64637425 32466e4d 30695632   crdZdct%2FnM0iV2
0x00000130 (00304)   55722532 42717056 44562532 46516b44   Ur%2BqpVDV%2FQkD
0x00000140 (00320)   436a5969 3155634a 6e4d4c34 6b337669   CjYi1UcJnML4k3vi
0x00000150 (00336)   6f71586f 5a49706f 316d3632 4a746370   oqXoZIpo1m62Jtcp
0x00000160 (00352)   6a413361 4c66636f 754d5625 32466273   jA3aLfcouMV%2Fbs
0x00000170 (00368)   42627976 6648597a 6f72776d 69464872   BbyvfHYzorwmiFHr
0x00000180 (00384)   79335041 78435064 44525966 6b35376c   y3PAxCPdDRYfk57l
0x00000190 (00400)   45253246 35375662 37316937 4565694c   E%2F57Vb71i7EeiL
0x000001a0 (00416)   6a534e30 74707569 7157364c 504f6774   jSN0tpuiqW6LPOgt
0x000001b0 (00432)   73736857 6e556971 70574168 58576a50   sshWnUiqpWAhXWjP
0x000001c0 (00448)   4571576f 6c455644 46526f65 3567776a   EqWolEVDFRoe5gwj
0x000001d0 (00464)   58484170 6a447525 32424b65 706b5457   XHApjDu%2BKepkTW
0x000001e0 (00480)   4d5a5337 3062665a 50734758 32544166   MZS70bfZPsGX2TAf
0x000001f0 (00496)   396a6925 32464925 32465650 67654756   9ji%2FI%2FVPgeGV
0x00000200 (00512)   464d656c 47204854 54502f31 2e300d0a   FMelG HTTP/1.0..
0x00000210 (00528)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000220 (00544)   650d0a48 6f73743a 20686f6c 6c616e64   e..Host: holland
0x00000230 (00560)   616e6462 61727265 74742e63 6f6d0d0a   andbarrett.com..
0x00000240 (00576)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000250 (00592)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000260 (00608)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a6f 316d3632 4a746370   ose....o1m62Jtcp
0x00000160 (00352)   6a413361 4c66636f 754d5625 32466273   jA3aLfcouMV%2Fbs
0x00000170 (00368)   42627976 6648597a 6f72776d 69464872   BbyvfHYzorwmiFHr
0x00000180 (00384)   79335041 78435064 44525966 6b35376c   y3PAxCPdDRYfk57l
0x00000190 (00400)   45253246 35375662 37316937 4565694c   E%2F57Vb71i7EeiL
0x000001a0 (00416)   6a534e30 74707569 7157364c 504f6774   jSN0tpuiqW6LPOgt
0x000001b0 (00432)   73736857 6e556971 70574168 58576a50   sshWnUiqpWAhXWjP
0x000001c0 (00448)   4571576f 6c455644 46526f65 3567776a   EqWolEVDFRoe5gwj
0x000001d0 (00464)   58484170 6a447525 32424b65 706b5457   XHApjDu%2BKepkTW
0x000001e0 (00480)   4d5a5337 3062665a 50734758 32544166   MZS70bfZPsGX2TAf
0x000001f0 (00496)   396a6925 32464925 32465650 67654756   9ji%2FI%2FVPgeGV
0x00000200 (00512)   464d656c 47204854 54502f31 2e300d0a   FMelG HTTP/1.0..
0x00000210 (00528)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000220 (00544)   650d0a48 6f73743a 20686f6c 6c616e64   e..Host: holland
0x00000230 (00560)   616e6462 61727265 74742e63 6f6d0d0a   andbarrett.com..
0x00000240 (00576)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000250 (00592)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000260 (00608)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a6d3632 4a746370   close....m62Jtcp
0x00000160 (00352)   6a413361 4c66636f 754d5625 32466273   jA3aLfcouMV%2Fbs
0x00000170 (00368)   42627976 6648597a 6f72776d 69464872   BbyvfHYzorwmiFHr
0x00000180 (00384)   79335041 78435064 44525966 6b35376c   y3PAxCPdDRYfk57l
0x00000190 (00400)   45253246 35375662 37316937 4565694c   E%2F57Vb71i7EeiL
0x000001a0 (00416)   6a534e30 74707569 7157364c 504f6774   jSN0tpuiqW6LPOgt
0x000001b0 (00432)   73736857 6e556971 70574168 58576a50   sshWnUiqpWAhXWjP
0x000001c0 (00448)   4571576f 6c455644 46526f65 3567776a   EqWolEVDFRoe5gwj
0x000001d0 (00464)   58484170 6a447525 32424b65 706b5457   XHApjDu%2BKepkTW
0x000001e0 (00480)   4d5a5337 3062665a 50734758 32544166   MZS70bfZPsGX2TAf
0x000001f0 (00496)   396a6925 32464925 32465650 67654756   9ji%2FI%2FVPgeGV
0x00000200 (00512)   464d656c 47204854 54502f31 2e300d0a   FMelG HTTP/1.0..
0x00000210 (00528)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000220 (00544)   650d0a48 6f73743a 20686f6c 6c616e64   e..Host: holland
0x00000230 (00560)   616e6462 61727265 74742e63 6f6d0d0a   andbarrett.com..
0x00000240 (00576)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000250 (00592)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000260 (00608)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a6d3632 4a746370   ose......m62Jtcp
0x00000160 (00352)   6a413361 4c66636f 754d5625 32466273   jA3aLfcouMV%2Fbs
0x00000170 (00368)   42627976 6648597a 6f72776d 69464872   BbyvfHYzorwmiFHr
0x00000180 (00384)   79335041 78435064 44525966 6b35376c   y3PAxCPdDRYfk57l
0x00000190 (00400)   45253246 35375662 37316937 4565694c   E%2F57Vb71i7EeiL
0x000001a0 (00416)   6a534e30 74707569 7157364c 504f6774   jSN0tpuiqW6LPOgt
0x000001b0 (00432)   73736857 6e556971 70574168 58576a50   sshWnUiqpWAhXWjP
0x000001c0 (00448)   4571576f 6c455644 46526f65 3567776a   EqWolEVDFRoe5gwj
0x000001d0 (00464)   58484170 6a447525 32424b65 706b5457   XHApjDu%2BKepkTW
0x000001e0 (00480)   4d5a5337 3062665a 50734758 32544166   MZS70bfZPsGX2TAf
0x000001f0 (00496)   396a6925 32464925 32465650 67654756   9ji%2FI%2FVPgeGV
0x00000200 (00512)   464d656c 47204854 54502f31 2e300d0a   FMelG HTTP/1.0..
0x00000210 (00528)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000220 (00544)   650d0a48 6f73743a 20686f6c 6c616e64   e..Host: holland
0x00000230 (00560)   616e6462 61727265 74742e63 6f6d0d0a   andbarrett.com..
0x00000240 (00576)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000250 (00592)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000260 (00608)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a                  close....


Strings
..9
...
..p..........
.....
.h.
UZ...
..J1.T
Z..
.lv
.7AF
$..
+..L.<.
...W!.E...U
...P......l.&...%.>.O 
...
....
..z{._
0100
040904b0
1.0.0.3
1134
3BsT0
#c1W
FileVersion
jjjjjj
P0CT
P 2E
PrivateBuild
ProductVersion
Q 12
qTWD
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
V#D!B
VS_VERSION_INFO
+?_{[0
00#XCx
0~Ff70
0-MuPN
^<23,Y
][2d+,
2yuC;11
2ZnvTR
4C{XQV
4gB%?+N
4gpZI7
54+OMB
5KLkQ9~n
$_/5zdbs
653)+@
6'M:=*le
6*n'J!QL
74}(hz
8R4#9\
8"Rm;|
%>(~9-
9=<;>ff
9H4<X^
,!$-+A
akFbAKG
.apexi
AQ'lkK
B$2>s2
bBJ.:3
CheckRemoteDebuggerPresent
CreateWindowExW
D5=U<<
@.data
dvkM^om
d]yx%%
@EIPI{
elT!qL
EndDialog
EnumResourceTypesW
!|}]fj)
f^N;\?
-FqPSS
FU\lx{
=,fx\&
)Gb^XF^
GetFileType
GetParent
GetStartupInfoA
GetWindowInfo
=g`FJ}
:|g;I@
gn;0AM
HeapCreate
h@-<!Kj'
hux5f7}
ihzJta
I*ME0U
InitializeCriticalSection
Iq.o!L
I`S[V9
JBX@%k
</>jfH
J^^J\;|
Ju0M9	
J,uF946
jWM1uMXt
j-zr_2
kbuOvA
KERNEL32.dll
]kowI9
_KTU2_GB
LoadCursorW
LresultFromObject
[&Ls]k
lstrcpynW
MessageBoxW
%m*k?`
M	O_M'i
N$5jR>
n/-~}8
nD!:}{
N<	e*q
'NFe9'
n%ff!L_
#NtK1Js
$_`oBo
?o_L(<
OLEACC.dll
pFNJ/9
_PS%6j
q5lEm#	-%
;&Q]ne
Qo#Ju?
Q`tu\@d
`.rdata
RegisterClassExW
%?tB4F
!This program cannot be run in DOS mode.
THvFmTn<
TlsAlloc
TlsFree
TlsGetValue
^u;<}_
u~9ljb
USER32.dll
U U},m
{@:V2PG l
v#AyM8
Vc@hl[8
vHl=MlT
vh<^WD2$
;vqvT,^'
wVl~g73
wV~)w!
xIm"T<b
X%>_<M
?}X\Xl
Yh}ypZuJP<6
yIsBx,
.yLm|{d
z:	5qUIo<_{D
=z]H4(
&zKx<!
z][na0^
zN/Yyid