Analysis Date2014-06-15 07:48:06
MD599feb5310dd4b5d9514559217fc26bca
SHA1b01e29d79900c9f6669ff779f60ba8ce56e2089d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7171226e8bf4104b07043d5d1802efbd sha1: 0d9fd96a255c606b0940496f130576b115610377 size: 115712
Section.tls md5: 80702f40c5035bacb5678a31b67f5988 sha1: 039832a7c064543bf8a7a77c163b112e96b3a8ca size: 1024
Section.data md5: 1750c2a2c6b6eb44dd3463dcfca11427 sha1: 2bc0e2a21a1348bb5c36f6c97bb9bc0bb1652839 size: 79360
Section.reloc md5: c23ca68b7382c57dde32d9aa85a63557 sha1: d877c87ea4a063674a9cc3304dc4c8415a306ca7 size: 1024
Timestamp2005-09-11 09:37:54
PEhash91bba46164d7f19e1c9bb901537da8e28a1ed31a
IMPhash3bdc2f66d4c93999a02759dfb542383f
AV360 SafeGen:Heur.FKP.6
AVAd-AwareGen:Heur.FKP.6
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAlert.J!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-1111
AVDr. WebBackDoor.Gbot.70
AVEmsisoftGen:Heur.FKP.6
AVEset (nod32)Win32/Kryptik.SMY
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Heur.FKP.6
AVGrisoft (avg)Cryptic.DQX
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.FKP.6
AVNormanwinpe/Cycbot.EC
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen5
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{F053D246-5CC9-46E9-9C51-723D87E9990B}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{5D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScalaculat.com
Winsock DNS127.0.0.1
Winsock DNSlostpropaganda.net
Winsock DNSfile4exchange.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSzonedg.com
Type: A
208.73.211.249
DNSzonedg.com
Type: A
208.73.211.164
DNSzonedg.com
Type: A
208.73.211.177
DNSzonedg.com
Type: A
208.73.211.182
DNSzonedg.com
Type: A
208.73.211.236
DNSzonedg.com
Type: A
208.73.211.249
DNSzonedg.com
Type: A
208.73.211.164
DNSzonedg.com
Type: A
208.73.211.177
DNSzonedg.com
Type: A
208.73.211.182
DNSzonedg.com
Type: A
208.73.211.236
DNSlostpropaganda.net
Type: A
DNScalaculat.com
Type: A
DNSfile4exchange.com
Type: A
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNx1Kv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNzVKv975Xlm5G
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJuX%2BSNxb5ygm1C4lKv975Xlm5G
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1032 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1034 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1040 ➝ 208.73.211.249:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 73650d0a   n: close....se..
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7831 4b763937 35586c6d   X%2BSNx1Kv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)                                         

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000100 (00256)   696c6c61 2f322e30 0d0a436f 6e74656e   illa/2.0..Conten
0x00000110 (00272)   742d4c65 6e677468 3a20300d 0a436f6e   t-Length: 0..Con
0x00000120 (00288)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a206d 6f7a696c 6c612f32   Agent: mozilla/2
0x00000100 (00256)   2e300d0a 436f6e74 656e742d 4c656e67   .0..Content-Leng
0x00000110 (00272)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000120 (00288)   6e3a2063 6c6f7365 0d0a0d0a 0d0a0d0a   n: close........
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7a56 4b763937 35586c6d   X%2BSNzVKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000100 (00256)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000110 (00272)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000120 (00288)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000130 (00304)   0d0a                                  ..

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   316b5825 32425039 68253242 49307344   1kX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a755825 3242534e 78623579 676d3143   JuX%2BSNxb5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a                 close....


Strings
`
.
..
.
@#
.8.
.
g.Ldc.
..
V.
...rt
.
080904b0
1.0.0.1
1567
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^^^^^^^^^^^^/////////
^^^^^^^^^^^^''
^^^^^^|
=======
=============
======}}
===+++
>>&&&&&
      
        
         
 ;;;;;;;;;;;;;;;;;;;;;;
 @|&@`
------
----------------
,,,---
,,,,,,,
,,,,,,,,,
,,,,,,,,,,,,,
;;;\\\\$
:::::::}
//////////%
'......~~
''''''
'''''''
''''''''
'*`@&@
(((((((
(((((((((((
(((((((((((((
[[[[>>>>>
[[[[[[
[[[[[[[[[,,,,,,,,,
]]]]]]]]
{{{{{{
}}}:|||
}}}}}}}}}
@=========
$@@$ @
**////////////
******
********
\     @@@@
\\\\\\\\\
\\\\\\\\\\\\\\\\\\\
&&&&&&&&&&&&&
%%%%%%%%%%%
''''00000000
00000GGG555555555
0>=PIh
0uV%&u)t
11fffn++
{!1NvE
1Pr5Wd
2\0B!h^
########222
22yyyy
;2)awg
[2H2{-w
 @ ]/3
333##'
*333333
::::::::::3333Q
38ZlvJo
3p3H5"
3SFBdy
`#4{~>
" `)4;1
44444444444VV
444gZZ
45	[U\D
4cka e
4=J*Y: 
4"q8yx{<
`4vw. 
5555555555
,@`5e5Mz
5k2:/4H
5LLLLLL
5{LmqS
5( @P6
)5VDm!\1F
5xL*t;
` >]6}
 6#4me
6666666ooo
66666OOOOOOO
6{GG0S
~6\>IM
}6j	* `
'6$jvv
6ni:gP
6WgJRBo
6w]Z~r
<*@`7@
@70aZ`I
77777777
7cnb80VH
7jP3p@
7yL>!o
`'|85	
8cU"l}g
8p5]IB
8p	uO}
8s?+&@ {i
8zx/$`
].@`%9
9999NNNNNNN
^9+b+'
9@'e`TA
9O1e(p
9{}T~)
9?Uv?t
=[9W"?D
(`@a!(@
aaaaaa
AAAAAA
aaaaaaa
AAAAAAA
aaaahhh
`@Aa{F
ADVAPI32.dll
$%aN@y
Ap7uBQ
"a~}tI
@@aX%Ag
B `@& 
>:b7A:+"
BaT~h!
BBBBBB
BBBBBBB
BBBBBBTTTTTTTTTTTTTTTT
bbbDIIh
bb$/wyi
Bi\90eD
!BJ[4R
bj@G{aEO
BJv?|1,
B&r32$g
%b|U%K
*(+:b-_y
^& `C04S
(]C2;oS
@@C5R* 
c7B'Ez
CbeiG#a9
cccccc
CCCCCC
CCCCCCCCC
`}.`@Ce
ce=lhBb
cGf#En
`@c-L|
c,OgXE
CoTaskMemFree
& @CR]e
CreateProcessA
CreateStdAccessibleObject
!cszmH
C(Uv,aR
@.data
Dc-IzK
D<^c~u>X
dd''''
DDDD<<
  dddd ???7
ddddd33
dddddd
DDDDDD
DDDDDDDDD
DDDDDDDDDDD
dddddddddddddd
DF?[I6
Dg1X	:
{@	'Dn
-dp5HV
D&  =TZV
DWy'\ 
DYAa6y6~D&o
'D<ZdE
e}0^yx
`^e37T^
/e9l]N
ECCCCCCCCC
ecXk|T
edH$ `
EEEEEE
eeeeeee
eeeeeeeeE
eeeeeeeefJ{
ee%%%%%%%R
e{{F9H
>E!i^I
"elrXn
EM>l#{C
EnumResourceNamesA
e\|t^!
E:$ @Z
` @ f'
` f}"@
%@F16"
  F1WOM|
/FF{( `
FFFFFF
FFFFFFFF
ffffffffff]]]]]
ffffffhhhM@@@{{{JJKK]]]]]]]==XXXXXX
fHv)a\
FRo/|a
f"@ Twl&
~Fu	.@`
g1|zui1
GetSystemTimeAsFileTime
gg}}}}}}}}}}}}}}
GGG```````
gggg||
gggg11
GGGGGGG
gggggggwww
gg>>>>>uu
GGZZZZ
#g;];l
@ gp57O}
gr\[`W
H$67R:
h*``6Y
)h{#b5
`/H_EJ
hf8;-@a
_`H;\G
HHH&&&""
````*"""""hhhh
#hhhh~
|||||||^^HHHHHggggggggggggaaaaa
HHHHHH
hhhhhhwww
h~mz$`
H"(pe#;
-hqRni
 @^HR1
@`hYha
)<?$ i
^$``{I
I;5xg(
I`6ri?
<Id;GL
i>F+A|
` i#g<
&&&&&III
IIIhhhhqqqqqqqqqqqq
IIIIII
IIIIIII
IIIIIIIII
iiiiiv
InterlockedExchange
&-iUWm
IWo* @
iwwwRmmm
J!!!!!
  J!2r
J55555555lllll
#J8mY+
jbu:_g@$
jjjjjj@@@@@@@@@@
jjjjjjj
JJJJJJJJJJJbb^^^^^^^^^^
j"@@ni
j=Pf*@
JU=|N2}
'$JxyZ
\!K5(@
k7}l~i9
k{/8a\
kcv 61U
KERNEL32.dll
```````KKc
    KKK
kkkkDDDDDDZ
kkkkk((((((((
kkkkkk
KKKKKKK?????
kkkkkkkke
KKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKK
kkkkkkkkkss
%KKKKKKKKKTTT
]KMuqD
%@l#* 
l^^^^^
l]0n&Z
?l2"iG
LAL(T&.&
L(ANw34	
L&BOhB
-LbWWW
leJ)wo]
lGF1^1
LHj'P. 
llll888888
lllliiii
&&:LLLLL???
lllllll4hhh
LLLLLLLL
lllllllll
LocalAlloc
LresultFromObject
lstrlenA
lxF	}+7R
M'0Oyz4H L
M1U?lgjI
`?m4rM~
)M*"c8
=-MEQ<g
,` mF/
`@MhZEv
M_L&`@
MMM44444444
mmmmmll
MMMMMM
MMMMMM4
MMMMMMMMM
`moKt=
MP~G:E
MultiByteToWideChar
``mVErMM
	mVr[G
MWZ,kB
MXXXXXXX
n3f27_
nB|'TP
*N'lV;
	NNNNN
nnnnnnnn
nnnnnnnnn
nnnnnzzzzRRRRRRRR
=n=<&s
ntB6^5
nTMtNHZ
n(?@W4
nzzzzz%%%%%%
O55999]]]]]]]]rrrrrr****'
ob>;:O0
@@O<eH
oFIHp/`
 `&  OGPI @ g
OhPAPI
OLEACC.dll
``)onw
OOOOObbbbbbbbbbbbb
oooooD
oooooo
OOOOOO
ooooooAA
oooooooooooooooooooo
OOzzzzz
`@^	op/
OpenFileMappingW
+OqXyz
OR].8d
O~};umr
oVGg^s
oV!-su,
oxb-BIt
!P	3b:
\P[F~t
pKqS	@
pL{]F7
pppccccccccJ
"""pppp
PPPPJJJWWX
PPPPPPP
PPPPPPPPeeeeeYYYYYY
PPPPPPPPP
ProgIDFromCLSID
pT)d0%
PtzGe[
 p<v,L4g
)!`~q* `1
qD>>;M
qFF					
QFwRj|K
qqqq<<
QQQQQQ
QQQQQQQQQQ
QQQQQQQQQQQQQ111ddddddd
QQQQQQQQQQQQQQQQQQQB
qsJj2@
`@QsT@
``<Q!+u
Q$\@X`
QyCI0S
q YQ0H
@ r^-	
r26&`@
r(  5a
 @r-9p2
RaiseException
<%?RCO
`rD3lU
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
rGU-;)
R/}IhI
RmC4* `
r+Oy+J
.@`^RR
rrrrrr
RRRRRRRR>>>>>>>nnnnnnnnnwwwwwl+DD
""""RRRRRRRRRR=Q
rrrrrrrrrrrrrrSSS0^#
RRRRRxxxxxxxx
\R\^vS
.@`S   
s4*)	m
sD<e<f
SeKFW5
SHELL32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
S}JYru>7
skx-=`
So}QBNT
` SRm5
sRul5&
sss!!!!!!!!
sssnn(((((((
ssssss
SSSSSS
SSSSSSS
<SSSSSSS
ssssssss
SSSSSSSSSSSSSS
ssz)^W
StringFromCLSID
StringFromIID
swq&pu
sY\5(>P
S[yE;c
,@`t|3
\+=t9*@
T9Q#8g
!T>Dxd
tHHHJff
!This program cannot be run in DOS mode.
thJx!V
Tj_)0G
t|&S#3
+++ttttt
++tttx
tUD`MK
t<&uiD0Z
t=WDfTo{"
u4422222
u,@`fd||
'+Uh00
'>U!jQ
)$@@uR
us6		~
uu0000
UUU		iiii
UUU>KKKK
|>U^W^
uzx`+v
.` v''
v!!////{{{{
v0[G	q
V:2=EH
V4wIM )I+
V @@ax
Vdddddddddddd
VirtualQueryEx
 `vO1x
VP3Tkx
[vP>['L
_V`:Qm	
]]]]]]]]]]]]]]]]]]]]]Vssssssssss
vT?F5xcpG
VVVVVVV
	_& @W
;W190,
w2d72.nUGM
`w~d}A
$WdVYSS}=:
w[FG9u3
``[wI/B3
WideCharToMultiByte
`w:r?0
~~~~~~~wwww
WWWWWW
WWWWWxx77
Wx8Th-j?
wXN-'N(
 wy;j"
@`;x[{
x2x+<gd
?XAAAAAA
X^A.i5
xbbbbbbb!!
xH=%O8
XLc+R!
x+nbIlU
xUSHK-
x'vQ2X
XXvvv   
>>>>>>>>>>xxx
XXXX<<<}
XXXXXXX
Y7IC/N~
Y?`&FY
YlBJiH
Ym"'XW
YN}&` 
,ysW%`
Y>T(Mt
Y.`~vZ
[##yy     
YYYY//////
yyyyii
YYYYYKK
YYYYYY
YYYYYYYYYYhhhhhh
YYYYYYYYYYY
yyyyyyyyyyyyyyy
  YZe+3
@@Y#zw
z5}f<O~z
=Z5H~aI
ZaWP#S
Z  `EZ
[ZF`:T8F
ZH.c5O
zzzzPPPP
ZZZZZZ
zzzzzzzzz
ZZZZZZZZZZ
zzzzzzzzzzz
ZZZZZZZZZZZ