Analysis Date2014-10-10 07:51:29
MD500e47b3e97d00142e11abc2d89f14c75
SHA1af2d3ff9975ca11a6c4b1216d82d7cdaea53bd2c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 06e62cadf2d2273ff22c16dae2c15a42 sha1: 82c5b35cabf21500782f0407b77c650bf58edbb1 size: 102400
Section.rdata md5: 1a5d10c2b4e98eb0475ad736b75184f7 sha1: bd937b9d68f3289dee8f11072682b0dc68c23235 size: 1024
Section.data md5: 5f7f65c9396d8c2465e04b0fdd51fd5b sha1: ed5e698f504e7f2828baa82f512a8ad709342bd0 size: 16896
Section.rsrc md5: 285547e3e6a862d070a9ce3649b460ba sha1: c86afa6c8f72ef1436c15d436cab0dd305d659a5 size: 1024
Timestamp2005-11-04 11:34:18
VersionPrivateBuild: 1108
PEhasha5422ffe1e7b1c3084c9da22dad9ab7b177cf485
IMPhash7a8e72223ff97524dacd66c849891a0f
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gbot.Bs
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebTrojan.DownLoader1.45971
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Cycbot.AA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.AW
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot
AVYara APTno_virus
AVZillya!Backdoor.Gbot.Win32.892

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com
Winsock DNSsharewareconnection.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSsharewareconnection.com
Type: A
216.240.159.81
DNSzonejm.com
Type: A
23.239.15.54
DNSwww.google.com
Type: A
74.125.225.113
DNSwww.google.com
Type: A
74.125.225.114
DNSwww.google.com
Type: A
74.125.225.115
DNSwww.google.com
Type: A
74.125.225.116
DNSwww.google.com
Type: A
74.125.225.112
DNSzoneck.com
Type: A
208.79.234.132
DNSzoneck.com
Type: A
208.79.234.132
DNSmotherboardstest.com
Type: A
204.11.56.26
DNSxibudific.cn
Type: A
HTTP GEThttp://sharewareconnection.com/images/ubar_0.jpg?tq=gP4aKydQZfgUCJsMDQAWQglob5vTDMUFIo9SDVe0UADQbZs6r6b87JrTffj73qLsnP%2FlHUBob%2BUGF2Gc5xNeyQVTjFZhx4xLfpq4KWc2Wf4%2Booh6V%2F9Eb%2FLxP03OX%2FrpZ8pUzjXltsZBs3laoqT3gc00MylJTHkP%2BSi%2FsCZ9ItfW5q8GY75%2Bnw5kAHMaLYCD0x9Dd9KHPqyG3KLGP6UhaCBJU9UKp6tPlhjosaTKrq4YOf9gzvPpfc1swbkgT0O63s81CicPC3cUmx3euiPdgE9U9olkzQNNUZvyHcMc%2BXECnIkIna%2FFEDAJht%2BfwURPjvlnjSM7FTZr6
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUz2kw8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51IortCC5IaGUUmp1NLyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2kw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2kw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbNaK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq3OjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq3OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 216.240.159.81:80
Flows TCP192.168.1.1:1033 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1034 ➝ 74.125.225.113:80
Flows TCP192.168.1.1:1035 ➝ 74.125.225.113:80
Flows TCP192.168.1.1:1036 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1037 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1038 ➝ 204.11.56.26:80
Flows TCP192.168.1.1:1039 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1040 ➝ 208.79.234.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a326b77 3861336e 4e514c61   rCSUz2kw8a3nNQLa
0x00000040 (00064)   626e5673 4d4c456c 6c733072 4e613178   bnVsMLElls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31496f72 74434335   K7Ql6TH51IortCC5
0x00000070 (00112)   49614755 556d7031 4e4c7979 5a4a7174   IaGUUmp1NLyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 75626172   GET /images/ubar
0x00000010 (00016)   5f302e6a 70673f74 713d6750 34614b79   _0.jpg?tq=gP4aKy
0x00000020 (00032)   64515a66 6755434a 734d4451 41575167   dQZfgUCJsMDQAWQg
0x00000030 (00048)   6c6f6235 7654444d 5546496f 39534456   lob5vTDMUFIo9SDV
0x00000040 (00064)   65305541 4451625a 73367236 6238374a   e0UADQbZs6r6b87J
0x00000050 (00080)   72546666 6a373371 4c736e50 2532466c   rTffj73qLsnP%2Fl
0x00000060 (00096)   4855426f 62253242 55474632 47633578   HUBob%2BUGF2Gc5x
0x00000070 (00112)   4e657951 56546a46 5a687834 784c6670   NeyQVTjFZhx4xLfp
0x00000080 (00128)   71344b57 63325766 34253242 6f6f6836   q4KWc2Wf4%2Booh6
0x00000090 (00144)   56253246 39456225 32464c78 5030334f   V%2F9Eb%2FLxP03O
0x000000a0 (00160)   58253246 72705a38 70557a6a 586c7473   X%2FrpZ8pUzjXlts
0x000000b0 (00176)   5a427333 6c616f71 54336763 30304d79   ZBs3laoqT3gc00My
0x000000c0 (00192)   6c4a5448 6b502532 42536925 32467343   lJTHkP%2BSi%2FsC
0x000000d0 (00208)   5a394974 66573571 38475937 35253242   Z9ItfW5q8GY75%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 73367236 6238374a    */*....s6r6b87J
0x00000050 (00080)   72546666 6a373371 4c736e50 2532466c   rTffj73qLsnP%2Fl
0x00000060 (00096)   4855426f 62253242 55474632 47633578   HUBob%2BUGF2Gc5x
0x00000070 (00112)   4e657951 56546a46 5a687834 784c6670   NeyQVTjFZhx4xLfp
0x00000080 (00128)   71344b57 63325766 34253242 6f6f6836   q4KWc2Wf4%2Booh6
0x00000090 (00144)   56253246 39456225 32464c78 5030334f   V%2F9Eb%2FLxP03O
0x000000a0 (00160)   58253246 72705a38 70557a6a 586c7473   X%2FrpZ8pUzjXlts
0x000000b0 (00176)   5a427333 6c616f71 54336763 30304d79   ZBs3laoqT3gc00My
0x000000c0 (00192)   6c4a5448 6b502532 42536925 32467343   lJTHkP%2BSi%2FsC
0x000000d0 (00208)   5a394974 66573571 38475937 35253242   Z9ItfW5q8GY75%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 73367236 6238374a    */*....s6r6b87J
0x00000050 (00080)   72546666 6a373371 4c736e50 2532466c   rTffj73qLsnP%2Fl
0x00000060 (00096)   4855426f 62253242 55474632 47633578   HUBob%2BUGF2Gc5x
0x00000070 (00112)   4e657951 56546a46 5a687834 784c6670   NeyQVTjFZhx4xLfp
0x00000080 (00128)   71344b57 63325766 34253242 6f6f6836   q4KWc2Wf4%2Booh6
0x00000090 (00144)   56253246 39456225 32464c78 5030334f   V%2F9Eb%2FLxP03O
0x000000a0 (00160)   58253246 72705a38 70557a6a 586c7473   X%2FrpZ8pUzjXlts
0x000000b0 (00176)   5a427333 6c616f71 54336763 30304d79   ZBs3laoqT3gc00My
0x000000c0 (00192)   6c4a5448 6b502532 42536925 32467343   lJTHkP%2BSi%2FsC
0x000000d0 (00208)   5a394974 66573571 38475937 35253242   Z9ItfW5q8GY75%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a326b77 3861336e 4f514c61   rCiUz2kw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 35253242   gbot/2.3....5%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a326b77 3861336e 4f514c61   rCiUz2kw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 793e0a20   gbot/2.3....y>. 
0x000000e0 (00224)   2020203c 68333e54 68697320 69732074      <h3>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 20                  </html>. 

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 624e614b   Ma1C2m51bCwxbNaK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x000000a0 (00160)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a 35253242   ..ot/2.3....5%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 71334f6a 62777667 53393137   fBvUq3OjbwvgS917
0x00000040 (00064)   57363572 4a716c4c 66675069 57573163   W65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a742e 636f6d0d 0a416363   .3....t.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a 35253242   ..ot/2.3....5%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 71334f6a 62777667 53393137   fBvUq3OjbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a742e 636f6d0d 0a416363   .3....t.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a 35253242   ..ot/2.3....5%2B
0x000000e0 (00224)   6e77356b 41484d61 4c594344 30783944   nw5kAHMaLYCD0x9D
0x000000f0 (00240)   64394b48 50717947 334b4c47 50365568   d9KHPqyG3KLGP6Uh
0x00000100 (00256)   6143424a 5539554b 70367450 6c686a6f   aCBJU9UKp6tPlhjo
0x00000110 (00272)   7361544b 72713459 4f663967 7a765070   saTKrq4YOf9gzvPp
0x00000120 (00288)   66633173 77626b67 54304f36 33733831   fc1swbkgT0O63s81
0x00000130 (00304)   43696350 43336355 6d783365 75695064   CicPC3cUmx3euiPd
0x00000140 (00320)   67453955 396f6c6b 7a514e4e 555a7679   gE9U9olkzQNNUZvy
0x00000150 (00336)   48634d63 25324258 45436e49 6b496e61   HcMc%2BXECnIkIna
0x00000160 (00352)   25324646 4544414a 68742532 42667755   %2FFEDAJht%2BfwU
0x00000170 (00368)   52506a76 6c6e6a53 4d374654 5a723620   RPjvlnjSM7FTZr6 
0x00000180 (00384)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000190 (00400)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000001a0 (00416)   743a2073 68617265 77617265 636f6e6e   t: sharewareconn
0x000001b0 (00432)   65637469 6f6e2e63 6f6d0d0a 41636365   ection.com..Acce
0x000001c0 (00448)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x000001d0 (00464)   656e743a 2067626f 742f322e 330d0a0d   ent: gbot/2.3...
0x000001e0 (00480)   0a                                    .


Strings
g.
040904b0
1108
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
2Hs$%<*
3GOa-Ci
4+(9OJ
4	eXGXc
4X^iXy
5.EXMdX
>\7UV]	
8M*=o&X
8u,=n_
8&XdXa
9'X&X/|
B^'Xln
b~Zru-
^c_C=a
cCd:YI:
,cdcc8
'cIFX 
CloseHandle
CreateEventA
CreateStdAccessibleObject
CreateThread
cSS"H(
c^!^T8
@.data
DeleteCriticalSection
d"eq~,
>d:iYI
]DXL$X&XQ
-dXmnN
DXnfX/
\DX-?tu
DXuJO/
DXvdXA
DXWhZk
?dXxdX%X
dX%X%X{
-dXzDX
EnterCriticalSection
EnumResourceNamesA
ERxxd 4 
eXfX4|i
EXhI_l
ExitProcess
+eXTUl	
EX&XHI
eX;~~'X$X
FindClose
FindFirstFileW
FreeEnvironmentStringsA
fXdXEX
FX|]FX
FXH.FX
fX{<VN
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
GNxft2
{GXdX.*
gXDX%X$XB
_GXFXl%X
GXJ:%X
}[GXOkL
gX'XeXC
	GXyDXL
H8[&	#
hi.y):w
hLocahVn@
HOmM%X&X0
H;($Xr
if~E|db
InitializeCriticalSection
i?W}t0
J!5nX%
JEXMm<
jeX$XEX"
{~ji'Xv
jL/voKM
jO+&X~R
jYNNz7I
\K7liz
KERNEL32.dll
:keX?&X
`l9	lH
LeaveCriticalSection
LFXO}DX
>]l"gL
LGX+EX
+L{(h|
LoadLibraryA
LresultFromObject
lv%X8'X
mOEXi?dXr
?N5Y*"
NEX|k{
NeX,$X
NeX.$X
	NFXK7
^NoGX	)*
OLEACC.dll
o:M,7l
o(NeX	
O#P'PLx7
OUgX'XIT
oVfXvMt
O y9vr
pr44.u7a
RC7?PI
`.rdata
ReadFile
Sd"!B6
SetEndOfFile
SetEvent
SetFilePointer
sG{%%k
SIdYfXO
"''T\:
>Tc=N<
!This program cannot be run in DOS mode.
tO,8nHR
^TQhNr@
TQh's@
UgXFXj
-ugX&X
uH	L:T
ux$XeX
V6!:=,
vGX{DX
VI*@UZ&
>>VtXgX
WaitForMultipleObjects
WaitForSingleObject
WgX8j@
WriteFile
X4nFX1
x}\_5q
%X6%X9
&X8/6:
'X8%XfXy$X
X|DX=[
X;dX.4
X^~dXA
X	DXgX
XdXj/o
XDXo$Xo
~xdX+T
XEXgX5Z
XeX$Xp
X[/fX,
XfX]9M
'XFXEX
X+<fXh$X-
XfX>iw
XfXJM[
X(FXOV
XFX&X2
X=fX)Y
XfXY$X
X*GX>~
xGX*5A
X;gXEX6
XGXK[}
XGXmhPh
X~;GXp
%XgX$X
:%XIW677
Xi%X56x
X/i$XS
X\*k7S
XKDX9`
Xk]W,>fX
'XM(oFX
XMT%X9q
Xm^=&X
X+|n\.
XNHTj@h
=%XnmA
X~o\9P
$X[tGX
$X?{TGX
x[;ThlFre
X-T%X`
X^tYHb
XvTow0
XW?'XS
;]['X$X
X;~$X?
'X%X?5
X%X:DXc
X'X(eXR
X,_%XfX
X%XfXB
Xx<hWh&Q@
X&Xi\L
^&X{&Xj_z6o
XX;L>/
X$X]l'X
X$X+'X
%X,X$X[A
X'XZFXuC
~xYK8V
XyKdX 
XZ4VIU
Xzl(,fX
Xz&X~XR
Ydz2eX
y&X&XL
	Y$XxoNFXEX
yZzFX6
zA-eQIJ
zFXjfXz;
Z=h+D1(
zL$X4FX5